Update It seems as though the problem arises from using org.apache.shiro.web.session.mgt.DefaultWebSessionManager in combination with cookie = org.apache.shiro.web.servlet.SimpleCookie cookie.name = SSOcookie
The result is 2 different sessions with 2 different session cookies and 2 redundant sets of backing beans - one session named JSESSIONID generated by the application server and the other named SSOcookie generated by Shiro. Then, when subject.logout() is called, only the Shiro session bound to SSOcookie is invalidated but the other one survives including any @SessionScoped beans associated with this surviving session. We have tried long and hard but have failed to grab hold of that surviving session in order to invalidate it programmatically, because we cannot correlate any beans of the JSESSIONID with those of SSOcookie to identify which sessions belong together. -- View this message in context: http://shiro-user.582556.n2.nabble.com/Destroy-SessionScoped-CDI-beans-during-Shiro-logout-tp7580656p7580660.html Sent from the Shiro User mailing list archive at Nabble.com.
