I'm struggling a bit with using native session management in my web application, which doesn't seem to be persisting sessions for as long as I have configured them.
My shiro.ini is configured with the following relevant lines, and to me this seems (based on documentation and forum messages) to be correct. I have a very long timeout (72 hrs) because the app is used in an already-secure environment, so this is the maximum time required by our regulations (basically a CYA thing), and I need to be able to cache the sessions because of the length of time. sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager securityManager.sessionManager = $sessionManager securityManager.sessionManager.globalSessionTimeout = 259200000 I also tried adding in securityManager.sessionMode = native, which I saw in one comment, but that is apparently deprecated as of 1.2. It made some comments in the logs when it started, and seemed okay with that, but I don't think it helped. The problem is that, when I use my application (a web-based mobile app wrapped in PhoneGap), the sessions only seem to persist less than 30 minutes, I haven't really been able to figure out exactly how long, and nowhere close to the 72 hrs I have configured. The (hopefully relevant) log output looks like this when I start the app: 2012-06-07 13:33:42,841 [pool-3-thread-1] DEBUG org.apache.shiro.config.ReflectionBuilder .resolveReference:235 - Encountered object reference '$sessionManager'. Looking up object with id 'sessionManager' 2012-06-07 13:33:42,845 [pool-3-thread-1] DEBUG org.apache.commons.beanutils.ConvertUtils .convert:460 - Convert string '259200000' to class 'long' 2012-06-07 13:33:42,845 [pool-3-thread-1] DEBUG org.apache.commons.beanutils.converters.LongConverter .convert:127 - Converting 'String' value '259200000' to type 'Long' 2012-06-07 13:33:42,845 [pool-3-thread-1] DEBUG org.apache.commons.beanutils.converters.LongConverter .convertToType:266 - No NumberFormat, using default conversion 2012-06-07 13:33:42,845 [pool-3-thread-1] DEBUG org.apache.commons.beanutils.converters.LongConverter .convert:158 - Converted to Long value '259200000' 2012-06-07 13:33:42,846 [pool-3-thread-1] DEBUG org.apache.shiro.realm.AuthorizingRealm .getAuthorizationCacheLazy:234 - No authorizationCache instance set. Checking for a cacheManager... 2012-06-07 13:33:42,846 [pool-3-thread-1] INFO org.apache.shiro.realm.AuthorizingRealm .getAuthorizationCacheLazy:248 - No cache or cacheManager properties have been set. Authorization cache cannot be obtained. And when I try to access the app after the timeout has occurred: 2012-06-07 11:12:50,181 [http-bio-8080-exec-2] DEBUG org.apache.shiro.session.mgt.DefaultSessionManager .retrieveSession:218 - Unable to resolve session ID from SessionKey [org.apache.shiro.web.session.mgt.WebSessionKey@59bd523d]. Returning null to indicate a session could not be found. 2012-06-07 11:12:50,182 [http-bio-8080-exec-2] DEBUG org.apache.shiro.web.servlet.SimpleCookie .readValue:366 - Found 'rememberMe' cookie value [ex//hFAQh3oCzHKpoRYmo93Wb2ufljgur+iSqXWvIGQIE5N8P8iqdetF+wIYWW+YOwd5Db+UkDjl4YIOv+8HOY6BQb1tf3hfTYoR7GMP+1m7/4ef3d1mf2SWxIbQeOxS1EAOb0q6GlQMaqg+Aj3G4FtBPSdiTMgk+74eeB3ogAHWDoniKKyuauuduGs/8bBOBrP30HaGutKOhgK21HNlndFmdwDtcbFHVQE8wrBfhpJH/g0aSu4eCPVkeMwKzfJtF+a2Fv6vQx15jMWJt6i6jd7HPTWTUaKoUjg7mnCtx13f9BqRa0+Feh+YZVIRNyXuHpO4lDCEXQdVSYsN3HfXg+hAA/HQHxc06HhScIDxeD0LfO6PsOBIFebWTflwmxBiFBI+z3IRLEXnnFOU45MBrVbrCE1a84G3YGwCCeoUf9rAX4OMiTWMV50izqQZOo/e88QxQxhhfNyhtbpBOLbtOBoZErgEpQSO94VvRCZ6xpLyE+v8NX4fzASY9Q4ZCmalTE0r6XwOiN1bsUGwfzuURQ] 2012-06-07 11:12:50,182 [http-bio-8080-exec-2] DEBUG org.apache.shiro.mgt.DefaultSecurityManager .resolvePrincipals:495 - Found remembered PrincipalCollection. Adding to the context to be used for subject construction by the SubjectFactory. 2012-06-07 11:12:50,182 [http-bio-8080-exec-2] DEBUG org.apache.shiro.session.mgt.DefaultSessionManager .create:175 - Creating new EIS record for new session instance [org.apache.shiro.session.mgt.SimpleSession,id=null] Based on these logs, what it seems to me is that it isn't caching at all, even in memory, and therefore can't find sessions when whatever session it is looking at expires. It is, however, storing cookies, so that's happening okay. It acts like it's using the servlet containers sessions, but I don't see how it could with that configuration. I've also seen a bunch of logs that suggest it does session clean-ups, but it never seems to find any; that may not be related. Thank you in advance for any insight on this one. I'm kind of stumped. -- View this message in context: http://shiro-user.582556.n2.nabble.com/Native-session-management-for-web-sessions-tp7577474.html Sent from the Shiro User mailing list archive at Nabble.com.
