The default ServletContainerSessionManager implementation relies on whatever config there is in web.xml.
SHIRO-240 was closed because ServletContainerSessionManager no longer has the notion of a globalSessionTimeout property - it doesn't even exist in its class hierarchy because it can't honor it. After removing that property from its class hierarchy, it became 100% dependent upon the servlet container's behavior. I'd be curious if you find anything when enabling logging in your servlet container to see what is going on. Which one are you using? Regards, Les On Mon, May 7, 2012 at 10:53 PM, Dan Tran <[email protected]> wrote: > Hi Les, > > Not sure if my issue related to this > https://issues.apache.org/jira/browse/SHIRO-240? > > Perhaps, i should reopen SHIRO-240? > > -Dan > > On Wed, May 2, 2012 at 6:56 AM, Les Hazlewood <[email protected]> > wrote: > > On Mon, Apr 30, 2012 at 2:38 PM, Dan Tran <[email protected]> wrote: > >> > >> due to this config > >> > >> <bean id="securityManager" > >> class="org.apache.shiro.web.mgt.DefaultWebSecurityManager"> > >> [....] > >> <property name="sessionManager.globalSessionTimeout" value="1800000" > /> > >> [....] > >> </bean> > > > > The above config is only valid if you've configured Shiro to use a > > 'native' session manager. By default, the DefaultWebSecurityManager > > uses a Servlet Container-based session manager, which delegates all > > session management behavior to the Servlet Container. > > > >> So I ended up to add this into my web.xml > >> > >> <session-config> > >> <session-timeout>30</session-timeout> > >> </session-config> > >> > >> I dont think this is working either ( i change the value to 1 and > >> session is not timing out after 1 minute ) > > > > This appears to be correct. I can't speak as to why your servlet > > container wouldn't be honoring a 1-minute timeout, but this would be > > out of Shiro's control since you're using Servlet Container-based > > session management. > > > > HTH, > > > > -- > > Les Hazlewood > > CTO, Stormpath | http://stormpath.com | 888.391.5282 > > twitter: @lhazlewood | http://twitter.com/lhazlewood > > blog: http://leshazlewood.com > > stormpath blog: http://www.stormpath.com/blog >
