Thanks for clarification, so it is likely from my tomcat/mywebapp side. Let's trouble shoot this issue from my side.
Thanks again -D On Tue, May 8, 2012 at 11:54 AM, Les Hazlewood <[email protected]> wrote: > P.S. I tried this in Shiro's sample web app: > > https://svn.apache.org/repos/asf/shiro/trunk/samples/web/ > > (mvn jetty:run) > > I added <session-config> (2 minutes) to web.xml and it timed out properly. > > Flow: > 1. Log in successfully > 2. See the home page > 3. Wait a few minutes > 4. Click on the 'account page' link. > > Shiro redirected me to the login page because my previous 2-minute session > had timed-out. > > This is using Jetty of course, but it should work identically in Tomcat or > any other servlet container for that matter. > > HTH, > > -- > Les Hazlewood > CTO, Stormpath | http://stormpath.com | 888.391.5282 > twitter: @lhazlewood | http://twitter.com/lhazlewood > blog: http://leshazlewood.com > stormpath blog: http://www.stormpath.com/blog > > > On Tue, May 8, 2012 at 11:29 AM, Les Hazlewood <[email protected]> > wrote: >> >> The default ServletContainerSessionManager implementation relies on >> whatever config there is in web.xml. >> >> SHIRO-240 was closed because ServletContainerSessionManager no longer has >> the notion of a globalSessionTimeout property - it doesn't even exist in its >> class hierarchy because it can't honor it. After removing that property >> from its class hierarchy, it became 100% dependent upon the servlet >> container's behavior. >> >> I'd be curious if you find anything when enabling logging in your servlet >> container to see what is going on. Which one are you using? >> >> Regards, >> >> Les >> >> >> On Mon, May 7, 2012 at 10:53 PM, Dan Tran <[email protected]> wrote: >>> >>> Hi Les, >>> >>> Not sure if my issue related to this >>> https://issues.apache.org/jira/browse/SHIRO-240? >>> >>> Perhaps, i should reopen SHIRO-240? >>> >>> -Dan >>> >>> On Wed, May 2, 2012 at 6:56 AM, Les Hazlewood <[email protected]> >>> wrote: >>> > On Mon, Apr 30, 2012 at 2:38 PM, Dan Tran <[email protected]> wrote: >>> >> >>> >> due to this config >>> >> >>> >> <bean id="securityManager" >>> >> class="org.apache.shiro.web.mgt.DefaultWebSecurityManager"> >>> >> [....] >>> >> <property name="sessionManager.globalSessionTimeout" >>> >> value="1800000" /> >>> >> [....] >>> >> </bean> >>> > >>> > The above config is only valid if you've configured Shiro to use a >>> > 'native' session manager. By default, the DefaultWebSecurityManager >>> > uses a Servlet Container-based session manager, which delegates all >>> > session management behavior to the Servlet Container. >>> > >>> >> So I ended up to add this into my web.xml >>> >> >>> >> <session-config> >>> >> <session-timeout>30</session-timeout> >>> >> </session-config> >>> >> >>> >> I dont think this is working either ( i change the value to 1 and >>> >> session is not timing out after 1 minute ) >>> > >>> > This appears to be correct. I can't speak as to why your servlet >>> > container wouldn't be honoring a 1-minute timeout, but this would be >>> > out of Shiro's control since you're using Servlet Container-based >>> > session management. >>> > >>> > HTH, >>> > >>> > -- >>> > Les Hazlewood >>> > CTO, Stormpath | http://stormpath.com | 888.391.5282 >>> > twitter: @lhazlewood | http://twitter.com/lhazlewood >>> > blog: http://leshazlewood.com >>> > stormpath blog: http://www.stormpath.com/blog >> >> >
