Does this happen when using two different browsers? For example, with one IE instance and the other a Firefox instance? If it does not, then it must be a problem at the browser level.
Also, are you using IE 8? I found this link, which may help: http://blogs.msdn.com/b/ie/archive/2009/05/06/session-cookies-sessionstorage-and-ie8.aspx Try File > New Session w/ IE8 and see if the issue still remains. Also try with Firefox and IE to see what happens - please tell us what you find. Finally if you don't believe this to be IE's fault, do you have a very simple test app that could be used to re-create this? You could easily use the 'web' sample application in the Shiro source distribution but turn on native sessions and use, say, an embedded H2 database to try and re-create the relevant part of your environment. Regards, Les On Mon, Sep 13, 2010 at 4:00 PM, enabler <[email protected]> wrote: > > We are using DB backend to store our Shiro native sessions. We ran into a bug > while testing. If two different users login from the same machine (PC) via > two different browsers/sessions (irrespective of the browser type), somehow > Shiro takes last login creds as "the user creds". > > Example steps: > 1) UserA login (same PC) -> IE browser > 2) UserB login (same PC) -> IE browser > 3) User A saves some customized data in app. After the save, the freshly > saved (SecurityUtil.getSubject.getPrincipal()) user information is owned by > User B (when it fact it should be User A). > > It's as if User B takes over since that is the "fresh/lastest" cookie on the > user's machine? How can we disable this from happening? > > > -- > View this message in context: > http://shiro-user.582556.n2.nabble.com/Shiro-JSESSIONID-issues-tp5528335p5528335.html > Sent from the Shiro User mailing list archive at Nabble.com. >
