You can set them both. The session timeout refers to the interval between requests (default to 30 min). So if a user doesn't make a request for 30 min the session becomes inactive.
The cookie timeout is how long the cookie should live on the client (defaults to when the browser closes). If a user does NOT make a request in 30 minute, the cookie would be removed, and user redirected to the login page. On Thu, Mar 16, 2017 at 12:27 PM, Harshdeep S Jawanda <[email protected]> wrote: > The issue seems to have magically resolved itself: can't reproduce it. > > In general, do I need to set the max age of both the cookie and the > session, or is it enough to set the max age of the cookie? > > Thanks you so much for your help!! > > Regards, > Harshdeep S Jawanda > > On 16 March 2017 at 21:29, Brian Demers <[email protected]> wrote: > >> I usually have url rewriting turned off due to session fixation, but if >> you put a simple sample together, i bet we can help you out. >> >> On Thu, Mar 16, 2017 at 11:42 AM, Harshdeep S Jawanda < >> [email protected]> wrote: >> >>> Btw, per my browser's settings, it does allow cookies. >>> >>> Sent from my Moto X2 >>> >>> On 16-Mar-2017 21:11, "Harshdeep S Jawanda" <[email protected]> wrote: >>> >>>> It does stop the exception from happening (a million thanks!!!), but >>>> now there's a new issue: the redirection post -login (which was successful: >>>> the correct username is printed in the logs) isn't working properly. >>>> >>>> Browser gives the message that the website is not redirecting properly. >>>> The post-redirect URL (in browser's location bar) looks like: >>>> example.com//;JSESSIONID=xyz (in this case it's supposed to redirect >>>> back to homepage). I think it's the "//" part that might be causing the >>>> problem. >>>> >>>> Investigating... >>>> >>>> Sent from my Moto X2 >>>> >>>> On 16-Mar-2017 20:37, "Brian Demers" <[email protected]> wrote: >>>> >>>> It should, give it a shot >>>> >>>> On Thu, Mar 16, 2017 at 10:49 AM, Harshdeep S Jawanda < >>>> [email protected]> wrote: >>>> >>>>> >>>>> On 16 March 2017 at 19:41, Brian Demers <[email protected]> >>>>> wrote: >>>>> >>>>>> You can disable session validation: >>>>>> https://shiro.apache.org/session-management.html#disabling-s >>>>>> ession-validation >>>>>> >>>>>> >>>>> And that should solve my problems when using >>>>> DefaultWebSessionManager? >>>>> >>>>> Regards, >>>>> Harshdeep S Jawanda >>>>> >>>> >>>> >>>> >> >
