Re: Shiro throws UnknownSessionException when logout / re-login a user with expired session

Wed, 05 Jun 2013 12:13:01 -0700 

Hi,
This occurs only when there is a session timeout and subsequent login logout for that user. 


It seems that, on successful login/logout shiro creates new subject 
context and merge principles, etc. those tasks require a session for 
some reason and eventually try to load a session from current context 
which is already expired and removed from the datasource.



While trying I have had different stack traces each one leading to 
unknown session exception at some point. For example, for one case when 
login I have a stack trace like following


        ...
        at 
org.apache.shiro.session.mgt.DefaultSessionManager.retrieveSession(DefaultSessionManager.java:222)
        at 
org.apache.shiro.session.mgt.AbstractValidatingSessionManager.doGetSession(AbstractValidatingSessionManager.java:118)
        at 
org.apache.shiro.session.mgt.AbstractNativeSessionManager.lookupSession(AbstractNativeSessionManager.java:108)
        at 
org.apache.shiro.session.mgt.AbstractNativeSessionManager.lookupRequiredSession(AbstractNativeSessionManager.java:112)
        at 
org.apache.shiro.session.mgt.AbstractNativeSessionManager.getHost(AbstractNativeSessionManager.java:197)
        at 
org.apache.shiro.session.mgt.DelegatingSession.getHost(DelegatingSession.java:111)
        at 
org.apache.shiro.session.ProxiedSession.getHost(ProxiedSession.java:93)
        at 
org.apache.shiro.session.ProxiedSession.getHost(ProxiedSession.java:93)
        ...
        at 
org.apache.shiro.mgt.DefaultSecurityManager.createSubject(DefaultSecurityManager.java:344)
        at 
org.apache.shiro.mgt.DefaultSecurityManager.createSubject(DefaultSecurityManager.java:183)
        at 
org.apache.shiro.mgt.DefaultSecurityManager.login(DefaultSecurityManager.java:283)
        at 
org.apache.shiro.subject.support.DelegatingSubject.login(DelegatingSubject.java:256)
        ...


This indicates that, at some point when getting host it requires a 
session. Now if I set the host name in the auth token, then the trace is 
a bit different.


        ...
        at 
org.apache.shiro.session.mgt.AbstractValidatingSessionManager.doGetSession(AbstractValidatingSessionManager.java:118)
        at 
org.apache.shiro.session.mgt.AbstractNativeSessionManager.lookupSession(AbstractNativeSessionManager.java:108)
        at 
org.apache.shiro.session.mgt.AbstractNativeSessionManager.lookupRequiredSession(AbstractNativeSessionManager.java:112)
        at 
org.apache.shiro.session.mgt.AbstractNativeSessionManager.getAttribute(AbstractNativeSessionManager.java:209)
        at 
org.apache.shiro.session.mgt.DelegatingSession.getAttribute(DelegatingSession.java:141)
        at 
org.apache.shiro.session.ProxiedSession.getAttribute(ProxiedSession.java:121)
        at 
org.apache.shiro.session.ProxiedSession.getAttribute(ProxiedSession.java:121)
        at 
org.apache.shiro.session.ProxiedSession.getAttribute(ProxiedSession.java:121)
        at 
org.apache.shiro.subject.support.DelegatingSubject.getRunAsPrincipalsStack(DelegatingSubject.java:469)
        at 
org.apache.shiro.subject.support.DelegatingSubject.isRunAs(DelegatingSubject.java:441)
        at 
org.apache.shiro.mgt.DefaultSubjectDAO.mergePrincipals(DefaultSubjectDAO.java:187)
        at 
org.apache.shiro.mgt.DefaultSubjectDAO.saveToSession(DefaultSubjectDAO.java:166)
        at 
org.apache.shiro.mgt.DefaultSubjectDAO.save(DefaultSubjectDAO.java:147)
        at 
org.apache.shiro.mgt.DefaultSecurityManager.save(DefaultSecurityManager.java:383)
        at 
org.apache.shiro.mgt.DefaultSecurityManager.createSubject(DefaultSecurityManager.java:350)
        at 
org.apache.shiro.mgt.DefaultSecurityManager.createSubject(DefaultSecurityManager.java:183)
        at 
org.apache.shiro.mgt.DefaultSecurityManager.login(DefaultSecurityManager.java:283)
        at 
org.apache.shiro.subject.support.DelegatingSubject.login(DelegatingSubject.java:256)
        ...



On 6/5/13 8:07 PM, Paul Holding wrote:

Hi Dewan

Forgot to ask do you only get the UnknownSessionException error thrown when
the session has already expired or does it occur whenever you are using
Shiro's built in session management and then execute the logout() method?

Also, whilst trying to troubleshoot this problem I set the logging level to
FINEST and found that when Shiro executes the logout() method it appeares to
have successfully stopped the session and then for some reason attempted to
retrieve the session, at which point the error is thrown. I've uploaded the
trace to pastebin  http://pastebin.com/UdmC5bvL
<http://pastebin.com/UdmC5bvL>  . Would you be able to increase the logging
level and see if you get a similar result please?

Kind Regards

Paul



--
View this message in context: 
http://shiro-user.582556.n2.nabble.com/Shiro-throws-UnknownSessionException-when-logout-re-login-a-user-with-expired-session-tp7578800p7578802.html
Sent from the Shiro User mailing list archive at Nabble.com.
























					Reply via email to