Thank you guys very much! This turned out to be the right line to pursue, although with some changes that I'll detail below in case anybody else has the same question in the future.
The maxAge on the Cookie that Shiro sets is -1, which means it expires when the browser closes. For a mobile web app wrapped in PhoneGap, it essentially never closes unless the OS closes it out as part of its regular app-cleaning processes, or the user force closes, in which case the cookie is wiped and you get the error messages that Les pointed out when the user tries to reconnect. As Jared described, to prevent that you need to change the default age of that cookie. The method that Jared pointed out caused some odd issues (like it expected me to name the cookie, and it seems that by setting the cookie myself I was taking on a lot of config responsibility), so I resolved it all by changing it to one line of config code: securityManager.sessionManager.sessionIdCookie.maxAge = 288000 That was it. Now the sessions last the full 72 hours, because that wasn't broken to begin with, and they won't cancel out if the app gets killed for whatever reason. Note too that the cookie's age is set in seconds, while the session's age is set in milliseconds. Thanks again! -- View this message in context: http://shiro-user.582556.n2.nabble.com/Native-session-management-for-web-sessions-tp7577474p7577483.html Sent from the Shiro User mailing list archive at Nabble.com.
