I am only aware of session-config in web.xml for setting session timeout. That only sets the cookie to last for the duration of the browser session.
Sent from my Moto X2 On 29-Mar-2017 22:05, "Harshdeep S Jawanda" <[email protected]> wrote: > What are you referring to? > > GAE only supports Servlet 2.5 specification (so far). I am unaware of any > configuration in web.xml (which is supported) that will tell the Servlet > container to keep the session cookie's expires field refreshed upon every > activity. > > Sent from my Moto X2 > > On 29-Mar-2017 19:29, "Brian Demers" <[email protected]> wrote: > >> You _should_ be able to do this with standard servlet configuration (a >> web.xml, or a equivalent code). Shiro will just use the available session >> from your container. >> >> On Wed, Mar 29, 2017 at 12:56 AM, Harshdeep S Jawanda < >> [email protected]> wrote: >> >>> I have verified the following: >>> >>> - ServletContainerSessionManager integrates with the underlying way >>> in which GAE manages HTTP sessions, so should be the choice for people >>> using Shiro on GAE. >>> - Prepending _ahs to the value of JSESSIONID cookie gives the ID of >>> the _ah_SESSION entity in the GAE datastore (should this data be of use >>> to >>> anybody else in the future). >>> - Setting session-timeout in web.xml works on GAE also (I'd had some >>> doubts regarding this). >>> - The JSESSIONID cookie resulting from the Shiro login process has >>> no expires value, therefore is valid for the current session only. >>> >>> Here is what I want to achieve: >>> >>> 1. I want to set an expires value on the JSESSIONID cookie so that >>> it isn't lost when the user closes the browser. >>> 1. I can achieve this by setting the maxAge of the cookie >>> explicitly in my login handler (after successful login). However this >>> still >>> leaves behind one issue... >>> 2. Just like the _expires value of the _ah_SESSION entity gets >>> updated every time a logged-in user uses the site (so that session >>> remains >>> valid for X time from last activity), I want the expires value of the >>> JSESSIONID cookie to also get updated. >>> >>> How do I achieve this 2nd part? Shiro doesn't seem to handle this >>> automatically: is there some setting I have missed? Remember, I have to use >>> ServletContainerSessionManager and it doesn't have the >>> sessionIdCookie.maxAge property (plus I don't think the expires value gets >>> auto-updated every time anyway). >>> >>> Is my only viable option to create my own Filter? >>> >>> Or does an auto-refreshing cookie leave a security hole and is therefore >>> inadvisable? >>> >>> Regards, >>> Harshdeep S Jawanda >>> >>> On 29 March 2017 at 06:42, Harshdeep S Jawanda <[email protected]> >>> wrote: >>> >>>> But where does DefaultWebSessionManager keep the session? In RAM? Then >>>> how and when does it decide to end a session? >>>> >>>> Because of App Engine's peculiar nature (instances may be stopped and >>>> started at any time based on load, and consecutive calls from the same user >>>> may end up going to different instances), sessions have to be stored in >>>> their built-in Datastore. >>>> >>>> I had always thought that Shiro on GAE interacts with these sessions >>>> and uses them to correspond its own idea/implementation of sessions. You're >>>> saying that's not the case? >>>> >>>> >>>> Regards, >>>> Harshdeep S Jawanda >>>> >>>> On 29 March 2017 at 02:36, Brian Demers <[email protected]> wrote: >>>> >>>>> I cannot speak to anything specific to GAE, but the >>>>> DefaultWebSessionManager "owns" the creation of the sessionId. If you >>>>> want >>>>> the container to control it, then you would use the >>>>> ServletContainerSessionManager: >>>>> >>>>> https://github.com/apache/shiro/blob/master/web/src/main/jav >>>>> a/org/apache/shiro/web/session/mgt/ServletContainerSessionManager.java >>>>> >>>>> On Mon, Mar 27, 2017 at 7:53 AM, Harshdeep S Jawanda < >>>>> [email protected]> wrote: >>>>> >>>>>> Hi all, >>>>>> >>>>>> I am trying to get a better understanding of how Shiro does session >>>>>> management on Google App Engine (a few things seem to be behaving >>>>>> counter-intuitively), so I'll start by asking some questions: >>>>>> >>>>>> 1. Does Shiro use the _ah_SESSION entities to manage session >>>>>> persistence on GAE? >>>>>> 2. If so, what is the relationship between the key (name/ID) of >>>>>> the _ah_SESSION entity and the value stored in the JSESSIONID cookie? >>>>>> 3. To put it differently, how does DefaultWebSessionManager know >>>>>> that if the JSESSIONID value is X, I have to lookup entity Y in the >>>>>> GAE >>>>>> datastore? >>>>>> >>>>>> I have set the session-timeout to 1440 (24 hours) in web.xml, but >>>>>> logins seem to expire before then (cookie life is set to 5 days): if I >>>>>> login now, do nothing after that, and refresh the page in, say, 13 >>>>>> hours, I >>>>>> am shown as logged out (depending entirely on Shiro for logins, not doing >>>>>> any other hanky-panky). >>>>>> >>>>>> It does seem like the value of the _expires field in the _ah_SESSION >>>>>> entities is being set to 24 hours from now. >>>>>> >>>>>> Regards, >>>>>> Harshdeep S Jawanda >>>>>> >>>>> >>>>> >>>> >>> >>
