I'm trying to support an app that has multiple session timeouts depending on how the users interact with it. One way is to use a mobile app, and the other is a web-based version. Both access the same backend using AJAX, and I use Shiro to authenticate those queries and handle the session timeouts. Because the mobile app will only be used on locked mobile phones, I would like to have the session timeout to be substantially longer than would be acceptable for the web version (several hours v. ~15 minutes).
I understand that there should be only one SecurityManager per app, and therefore only one SessionManager as well, and the timeouts are configured in those, therefore only one session timeout. I've thought of two potential ways of handling this given that I have to have one fixed session timeout, but neither feels "right", and I'm wondering if I'm missing another option. First option is to use my subclassed AuthenticatingFilter, use something like subject.getSession().getLastAccessTime() as well as the path they're accessing to figure out if it's too long for that particular path. If so, use something like SimpleSession.setExpired(true) to kill the session. Not sure if this will work, though, as the way the classes call each other is a bit confusing to me. The second would be to create a thread that routinely went through all the active sessions, like the validator would, and do similar logic to step one to expire the incorrect sessions. I'm worried this may be expensive, particularly if I'm using a third party session management cache (like Amazon's). I suppose I could also override the validation process, but that seems a bit messy. Thanks in advance for any suggestions. Mike -- View this message in context: http://shiro-user.582556.n2.nabble.com/Support-for-multiple-session-timeouts-tp7577708.html Sent from the Shiro User mailing list archive at Nabble.com.
