Hi Paul - this is odd behavior. We're using Shiro native session management and redirect the user to the login page immediately after calling subject.logout() as well, and we don't see these problems.
I'll take a peek at the paste as soon as I have time and let you know what I find. A quick workaround is to just catch and ignore the exception and then issue the redirect. HTH, -- Les Hazlewood | @lhazlewood CTO, Stormpath | http://stormpath.com | @goStormpath | 888.391.5282 On Wed, Jun 5, 2013 at 4:26 PM, Paul Holding <[email protected]> wrote: > I need to allow user in my web based application to click on a logout button > to securely end their session. The logout button executes the > "SecurityUtils.getSubject().logout()" method and then redirects the user > back to the login page. When Shiro uses the default container provided > session management everything works as expected, however if I enable Shiro's > built in session management, then an UnknownSessionException is thrown > whenever the "SecurityUtils.getSubject().logout()" method is executed. Note > that this occurs before the next line of code to redirect the user back to > the login page is executed. > > Whilst trying to troubleshoot this problem I set the logging level to FINEST > and found that when Shiro executes the logout() method it appears to have > successfully stopped the session and then for some reason attempted to > retrieve the session, at which point the error is thrown. I've uploaded the > trace to pastebin http://pastebin.com/UdmC5bvL. > > The contents of the Shiro.ini file is as follows: > [main] > user = org.apache.shiro.web.filter.authc.PassThruAuthenticationFilter > user.loginUrl = /login.xhtml > > sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager > > securityManager.sessionManager = $sessionManager > > [users] > <removed> > > [urls] > /login.xhtml = user > /app/** = user > > I have reproduced this issue on both WebSphere Application Server 8.5 and > GlassFish 3.1.2.2 using Shiro 1.2.2 > > I was about to start this thread earlier today but I saw an almost identical > thread titled " Shiro throws UnknownSessionException when logout / re-login > a user with expired session > <http://shiro-user.582556.n2.nabble.com/Shiro-throws-UnknownSessionException-when-logout-re-login-a-user-with-expired-session-td7578800.html> > " , however it appears that the specific issue reported there only occurs > when the session has expired, although in my case the session hasn't > expired. Rather than continue to highjack someone else’s thread I thought it > would be better to start a new one. I did also find a thread titled " What > might cause an UnknownSessionException > <http://shiro-user.582556.n2.nabble.com/What-might-cause-an-UnknownSessionException-td7578179.html> > " which looked promising but I would really prefer to stop the session > correctly rather than using a work around. > > Is using "SecurityUtils.getSubject().logout()" the correct way to allow a > user to end their own session when using Shiro's built in session management > and if so what can I do to stop the exception being thrown without resorting > to workarounds such as removing the session attributed? I have tried > wrapping the method in a try/catch statement, however it seems the exception > is being caught by something else in the call stack. > > > > > -- > View this message in context: > http://shiro-user.582556.n2.nabble.com/UnknownSessionException-when-calling-logout-method-using-Shiro-s-built-in-session-management-tp7578804.html > Sent from the Shiro User mailing list archive at Nabble.com.
