I have seen a couple of promising posts on this, such as http://shiro-user.582556.n2.nabble.com/Sessions-and-REST-td6036008.html this discussion suggesting a session-per-request model. This is fine as long as you are passing credentials with every request, but I would also like to have a stateless application that works well with web applications.
My idea (not just mine) is to have a cookie that replaces the session id with a signed string with the username and expiration time. In this way, a client could use the cookie to authenticate as long as the expiration time had not passed. If it had passed, that would be an ExpiredSession exception. If user "signed out" then it would forget the cookie or replace the cookie with one that had explicitly expired or something like that. 1) Is this a good/bad idea in general? 2) Is there anything new in 1.2 that would help with this, or am I better off using the code from http://shiro-user.582556.n2.nabble.com/Sessions-and-REST-td6036008.html Sessions-and-REST as a starting place? -- View this message in context: http://shiro-user.582556.n2.nabble.com/Stateless-sessions-that-still-support-cookies-tp7514680.html Sent from the Shiro User mailing list archive at Nabble.com.
