I have some questions about session handling. How is it possible to detect an session timeout? I´ve implemented an PhaseListener(JSF) to be able to redirect a request when session timed out or the user tries to access an page and subject isn´t authentificated. Here´s the problem.
On our /login.jsf site there is no session created, so I ignore this requests within my listener. The user log in to the application, session is created(native) and subject is authentificated. The user clears his browser cache and clicks on some buttons that causes Ajax requests. Now my PhaseListener should be able to detect that session is gone and a redirect to "Your session timed out" page must be performed. Because of Shiro already changed the request url (see shiro loginUrl) to "/login.jsf, I have no chance to detect if the session is really timed out or the user is just not authentificated. -- View this message in context: http://shiro-user.582556.n2.nabble.com/Detect-session-timeout-tp7412423p7412423.html Sent from the Shiro User mailing list archive at Nabble.com.
