Hello, I've uncovered in our implementation and deployment of Shiro a race condition that can (and does) occur when a Session Expires. Here are the steps that have to occur for us to "lose" the race:
1) User logs in which creates a session. Session is cached and persisted (to a MySQL database). 2) User does nothing right up until the session is about the expire. 3) User requests a JSP just before his session is about to expire. 4) Servlet gets the Subject. 5) ExecutorServiceSessionValidationScheduler expires the session and deletes it from the cache and database. 6) The Servlet tries to extract the Subject's Principal, but the session doesn't exist so it throws: javax.servlet.ServletException: org.apache.shiro.session.UnknownSessionException: There is no session with id [190fdf2a-daf7-41d2-aa3c-4eb2da9b33f2]. 7) The user gets a 500 error (yikes!). So my question is what normally should prevent this problem? We have a custom SessionDAO, so I'm assuming the bug is in our implementation somewhere, but it wasn't obvious to me what is the best way to handle a Session being invalidated when some other thread has a handle to the Session. I can, of course, post code, but I'm not really sure which code to post. Oh, we're using Shiro 1.2.2. Thanks! --Stephen -- View this message in context: http://shiro-user.582556.n2.nabble.com/Session-Expiration-race-condition-tp7581181.html Sent from the Shiro User mailing list archive at Nabble.com.
