Your INI config looks fine. And yes, I wouldn't use the 'native' setting anymore.
The DefaultWebSessionManager by default uses a MemorySessionDAO which stores all sessions 100% in memory, so you shouldn't be losing anything. The important lines are here: org.apache.shiro.session.mgt.DefaultSessionManager .retrieveSession:218 - Unable to resolve session ID from SessionKey [org.apache.shiro.web.session.mgt.WebSessionKey@59bd523d]. Returning null to indicate a session could not be found. This means that Shiro couldn't obtain a JSESSIONID cookie from the request. Perhaps something is interfering from the client being able to set/get the JSESSIONID cookie? Can you see the JSESSIONID cookie being set in the response header? Regards, -- Les Hazlewood CTO, Stormpath | http://stormpath.com | 888.391.5282 twitter: @lhazlewood | http://twitter.com/lhazlewood blog: http://leshazlewood.com stormpath blog: http://www.stormpath.com/blog On Thu, Jun 7, 2012 at 2:13 PM, drmike01 <[email protected]> wrote: > I'm struggling a bit with using native session management in my web > application, which doesn't seem to be persisting sessions for as long as I > have configured them. > > My shiro.ini is configured with the following relevant lines, and to me this > seems (based on documentation and forum messages) to be correct. I have a > very long timeout (72 hrs) because the app is used in an already-secure > environment, so this is the maximum time required by our regulations > (basically a CYA thing), and I need to be able to cache the sessions because > of the length of time. > > sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager > securityManager.sessionManager = $sessionManager > securityManager.sessionManager.globalSessionTimeout = 259200000 > > I also tried adding in securityManager.sessionMode = native, which I saw in > one comment, but that is apparently deprecated as of 1.2. It made some > comments in the logs when it started, and seemed okay with that, but I don't > think it helped. > > The problem is that, when I use my application (a web-based mobile app > wrapped in PhoneGap), the sessions only seem to persist less than 30 > minutes, I haven't really been able to figure out exactly how long, and > nowhere close to the 72 hrs I have configured. The (hopefully relevant) log > output looks like this when I start the app: > > > 2012-06-07 13:33:42,841 [pool-3-thread-1] DEBUG > org.apache.shiro.config.ReflectionBuilder .resolveReference:235 - > Encountered object reference '$sessionManager'. Looking up object with id > 'sessionManager' > 2012-06-07 13:33:42,845 [pool-3-thread-1] DEBUG > org.apache.commons.beanutils.ConvertUtils .convert:460 - Convert string > '259200000' to class 'long' > 2012-06-07 13:33:42,845 [pool-3-thread-1] DEBUG > org.apache.commons.beanutils.converters.LongConverter .convert:127 - > Converting 'String' value '259200000' to type 'Long' > 2012-06-07 13:33:42,845 [pool-3-thread-1] DEBUG > org.apache.commons.beanutils.converters.LongConverter .convertToType:266 - > No NumberFormat, using default conversion > 2012-06-07 13:33:42,845 [pool-3-thread-1] DEBUG > org.apache.commons.beanutils.converters.LongConverter .convert:158 - > Converted to Long value '259200000' > 2012-06-07 13:33:42,846 [pool-3-thread-1] DEBUG > org.apache.shiro.realm.AuthorizingRealm .getAuthorizationCacheLazy:234 - No > authorizationCache instance set. Checking for a cacheManager... > 2012-06-07 13:33:42,846 [pool-3-thread-1] INFO > org.apache.shiro.realm.AuthorizingRealm .getAuthorizationCacheLazy:248 - No > cache or cacheManager properties have been set. Authorization cache cannot > be obtained. > > And when I try to access the app after the timeout has occurred: > > 2012-06-07 11:12:50,181 [http-bio-8080-exec-2] DEBUG > org.apache.shiro.session.mgt.DefaultSessionManager .retrieveSession:218 - > Unable to resolve session ID from SessionKey > [org.apache.shiro.web.session.mgt.WebSessionKey@59bd523d]. Returning null > to indicate a session could not be found. > 2012-06-07 11:12:50,182 [http-bio-8080-exec-2] DEBUG > org.apache.shiro.web.servlet.SimpleCookie .readValue:366 - Found > 'rememberMe' cookie value > [ex//hFAQh3oCzHKpoRYmo93Wb2ufljgur+iSqXWvIGQIE5N8P8iqdetF+wIYWW+YOwd5Db+UkDjl4YIOv+8HOY6BQb1tf3hfTYoR7GMP+1m7/4ef3d1mf2SWxIbQeOxS1EAOb0q6GlQMaqg+Aj3G4FtBPSdiTMgk+74eeB3ogAHWDoniKKyuauuduGs/8bBOBrP30HaGutKOhgK21HNlndFmdwDtcbFHVQE8wrBfhpJH/g0aSu4eCPVkeMwKzfJtF+a2Fv6vQx15jMWJt6i6jd7HPTWTUaKoUjg7mnCtx13f9BqRa0+Feh+YZVIRNyXuHpO4lDCEXQdVSYsN3HfXg+hAA/HQHxc06HhScIDxeD0LfO6PsOBIFebWTflwmxBiFBI+z3IRLEXnnFOU45MBrVbrCE1a84G3YGwCCeoUf9rAX4OMiTWMV50izqQZOo/e88QxQxhhfNyhtbpBOLbtOBoZErgEpQSO94VvRCZ6xpLyE+v8NX4fzASY9Q4ZCmalTE0r6XwOiN1bsUGwfzuURQ] > 2012-06-07 11:12:50,182 [http-bio-8080-exec-2] DEBUG > org.apache.shiro.mgt.DefaultSecurityManager .resolvePrincipals:495 - Found > remembered PrincipalCollection. Adding to the context to be used for > subject construction by the SubjectFactory. > 2012-06-07 11:12:50,182 [http-bio-8080-exec-2] DEBUG > org.apache.shiro.session.mgt.DefaultSessionManager .create:175 - Creating > new EIS record for new session instance > [org.apache.shiro.session.mgt.SimpleSession,id=null] > > Based on these logs, what it seems to me is that it isn't caching at all, > even in memory, and therefore can't find sessions when whatever session it > is looking at expires. It is, however, storing cookies, so that's happening > okay. It acts like it's using the servlet containers sessions, but I don't > see how it could with that configuration. I've also seen a bunch of logs > that suggest it does session clean-ups, but it never seems to find any; that > may not be related. > > Thank you in advance for any insight on this one. I'm kind of stumped. > > -- > View this message in context: > http://shiro-user.582556.n2.nabble.com/Native-session-management-for-web-sessions-tp7577474.html > Sent from the Shiro User mailing list archive at Nabble.com.
