I am currently using shiro + spring for a web application, with these setups : - my own realm - a custom sessionDAO - in sessionManager, 1 hour of timeout, false on the sessionValidationSchedulerEnabled as i'm making use a custom TTL mechanism in the background - enable the static methods of SecurityUtils by setting the securityManager manually in the spring xml - using native sessions instead of web sessions - since im using native sessions, i dont deploy shiro filters (is this wrong?)
One thing i notice is my session seems to timeout very quickly, only in a matter of a few minutes, not per hour as globalSessionTimeout configuration in the xml. In the app, things are as normal, before login, isAuthenticated is false, after login the subject is correct, the principal is fine, the session is stored correctly, authentication works when doing login. So, what i did is trying to find out how shiro manages to 'remember' who i am in subsequent requests by printing out cookies + req headers. But i found nothing that relates to shiro being enable to remember me. I am still currenlty testing out with a single user. Please share your insights on what could be the culprit here. -- Do not pursue the past. Do not lose yourself in the future. The past no longer is. The future has not yet come. Looking deeply at life as it is in the very here and now, the practitioner dwells in stability and freedom. (Thich Nhat Hanh)
