Hi Francesco, Your logic is exactly correct, with one caveat: passing a session id manually _only_ works when using Shiro's native sessions. There is no way to obtain a session from the ServletContainer based on a session ID. Therefore, you need to ensure that you're using Shiro's native sessions and _not_ the servlet container sessions (which are used by default).
In Shiro's INI, you can configure this easily: securityManager.sessionMode = native # you can also disable the session cookie entirely after native sessions are enabled: securityManager.sessionManager.sessionIdCookieEnabled = false That should work. Please let us know how it goes! Cheers, -- Les Hazlewood Founder, Katasoft, Inc. Application Security Products & Professional Apache Shiro Support and Training: http://www.katasoft.com On Sun, Jan 2, 2011 at 5:36 AM, Francesco Pasqualini <[email protected]> wrote: > Hi, > I really like shiro API and approach. > I'm trying to use shiro with GWT. > But it seems there is a problem. > Accordinly to GWT "login security faq" I need to avoid to use, in server > side, the session id retrieved from cookie but I must pass it in the payload > of the RPC request. > http://code.google.com/p/google-web-toolkit-incubator/wiki/LoginSecurityFAQ > So I implemented my GWT+shiro as follow: > 1) when user start login: obtain the new shiro sessionId, pass to the > client, and store in the client to pass back to the server > 2) when a logged user do an RPC request : pass the stored sessionId from > client to server in the payload of the RPC request, and server side I access > the session this > way: Subject.Builder().sessionId(sessionId).buildSubject().getSession() > But my code does not not work. > When the user logout and login again shiro does not provide a new sessionId, > but keep using the old one that is no more valid (logout), so I have the > following Exception when try to login with shiro (currentUser.login(token)): > "There is no session with id [the old ID]". > Is there a way a way to tell shiro to not use the sesionId passed with > cookies but only the one "programmatically" passed ? > thanks
