I've decided that my above test doesn't make any sense, because the Session will be "touched" (lastAccessTime) updated before I get the Subject and the Subject's Principal, so with a reasonable timeout, it should still be fine. Seems unreasonable that the Servlet would be hung for 30 minutes (the default Session timeout).
-- View this message in context: http://shiro-user.582556.n2.nabble.com/Session-Expiration-race-condition-tp7581181p7581195.html Sent from the Shiro User mailing list archive at Nabble.com.
