Hi Ben, > securityManager.subjectDAO.sessionStorageEvaluator.sessionStorageEnabled = > false
This prevents Shiro from using a Subject's Session for Shiro's own needs. It does not prevent you, the application developer (or something under your control, like a JSP page or other web component), from using Sessions. More info here: http://shiro.apache.org/session-management.html#SessionManagement-DisablingSubjectStateSessionStorage (note the yellow warning box). Odds are high that another part of your app (or a JSP page) is trying to use or create a session (e.g. via request.getSession()). If using JSP, ensure you have the following directive at the top of the page: <%@ page session="false" %> Additionally for web apps, you may wish to disable sessions entirely under a particular URL or URLs: http://shiro.apache.org/session-management.html#SessionManagement-WebApplications Another approach is to create a SessionManager implementation that always throws an exception when 'start' is called and configure that on the SecurityManager, e.g. securityManager.sessionManager = $noSessionManager HTH! Cheers, -- Les Hazlewood CTO, Katasoft | http://www.katasoft.com | 888.391.5282 twitter: @lhazlewood | http://twitter.com/lhazlewood katasoft blog: http://www.katasoft.com/blogs/lhazlewood personal blog: http://leshazlewood.com > > We're getting an ExpiredSessionException after 30 minutes. This seems weird > to me since we want sessions turned off to run in sessionless mode. > > We're logging the user in with every request since we're sessionless. Is > this the wrong thing to be doing? > SecurityUtils.getSubject(); > UsernamePasswordToken token = new UsernamePasswordToken(user, pass); > try { > currentUser.login(token); > } ... > > The stacktrace we're getting is below. We're using > org.apache.shiro:shiro-core:1.2.0-SNAPSHOT from the snapshot Maven > repository. > > org.apache.shiro.session.ExpiredSessionException: Session with id > [2840cc08-d5d0-4e84-80c0-3249242b8a3d] has expired. Last access time: > 11/1/11 12:01 PM. Current time: 11/1/11 12:53 PM. Session timeout is set to > 1800 seconds (30 minutes) > > org.apache.shiro.session.mgt.SimpleSession.validate(SimpleSession.java:292) > > org.apache.shiro.session.mgt.AbstractValidatingSessionManager.doValidate(AbstractValidatingSessionManager.java:180) > > org.apache.shiro.session.mgt.AbstractValidatingSessionManager.validate(AbstractValidatingSessionManager.java:143) > > org.apache.shiro.session.mgt.AbstractValidatingSessionManager.doGetSession(AbstractValidatingSessionManager.java:120) > > org.apache.shiro.session.mgt.AbstractNativeSessionManager.lookupSession(AbstractNativeSessionManager.java:105) > > org.apache.shiro.session.mgt.AbstractNativeSessionManager.lookupRequiredSession(AbstractNativeSessionManager.java:109) > > org.apache.shiro.session.mgt.AbstractNativeSessionManager.removeAttribute(AbstractNativeSessionManager.java:220) > > org.apache.shiro.session.mgt.DelegatingSession.removeAttribute(DelegatingSession.java:159) > > org.apache.shiro.session.ProxiedSession.removeAttribute(ProxiedSession.java:135) > > org.apache.shiro.session.ProxiedSession.removeAttribute(ProxiedSession.java:135) > > org.apache.shiro.subject.support.DelegatingSubject.clearRunAsIdentities(DelegatingSubject.java:456) > > org.apache.shiro.subject.support.DelegatingSubject.login(DelegatingSubject.java:258) > > Thanks for the help, > Ben > > -- > View this message in context: > http://shiro-user.582556.n2.nabble.com/Session-expiration-when-using-stateless-application-tp6953312p6953312.html > Sent from the Shiro User mailing list archive at Nabble.com.
