We are using DB backend to store our Shiro native sessions. We ran into a bug while testing. If two different users login from the same machine (PC) via two different browsers/sessions (irrespective of the browser type), somehow Shiro takes last login creds as "the user creds".
Example steps: 1) UserA login (same PC) -> IE browser 2) UserB login (same PC) -> IE browser 3) User A saves some customized data in app. After the save, the freshly saved (SecurityUtil.getSubject.getPrincipal()) user information is owned by User B (when it fact it should be User A). It's as if User B takes over since that is the "fresh/lastest" cookie on the user's machine? How can we disable this from happening? -- View this message in context: http://shiro-user.582556.n2.nabble.com/Shiro-JSESSIONID-issues-tp5528335p5528335.html Sent from the Shiro User mailing list archive at Nabble.com.
