how to close shiro session

Question

I met an error when hardcode try to logout with shiro. user do login and logout not through web login/logout url, but backend link.

when login, it works.

Subject currentUser = SecurityUtils.getSubject();
        UsernamePasswordToken token = new UsernamePasswordToken(request.getParameter("username"), request.getParameter("password"));
        token.setRememberMe(true);
        try {
            currentUser.login(token);
        } catch (AuthenticationException e) {
            e.printStackTrace();
        }

but when i try to logout, with error:

public void userLogout(String sessionId){
    SecurityManager securityManager = SecurityUtils.getSecurityManager();
    Subject.Builder builder = new Subject.Builder(securityManager);
    builder.sessionId(sessionId);
    Subject subject = builder.buildSubject();
    if (null != subject) {
        try {
            subject.logout();
        } catch (SessionException e) {
            // TODO: handle exception
        }
    }
}

but met error [org.apache.shiro.session.UnknownSessionException: There is no session with id , then how to manually colse a shiro session?

i fixed by user currentUser.logout, even don't know the root cause. — Paris Tao, Apr 03 '14 at 03:01
it's because if used above method to close current session, current thread can not be run over. — Paris Tao, Apr 04 '14 at 09:20

score 7 · Accepted Answer · answered Apr 06 '14 at 09:57

You shouldn't try to recreate the session and then operate it, you should get the session via the security manager, using the thread the user was logged into, like so:

SecurityUtils.getSubject().logout();

If you somehow want to call logout from a different thread, you can use the SessionDAO interface, but you need to do extra configuration to have shiro use a SessionDAO as described here:

http://shiro.apache.org/session-management.html#SessionManagement-SessionStorage

When you have configured it correctly you can do stuff like:

    DefaultSecurityManager securityManager = (DefaultSecurityManager) SecurityUtils.getSecurityManager();
    DefaultSessionManager sessionManager = (DefaultSessionManager) securityManager.getSessionManager();
    Collection<Session> activeSessions = sessionManager.getSessionDAO().getActiveSessions();
    for (Session session: activeSessions){
        if (sessionId.equals(session.getId()){
            session.stop();
        }
    }

yes, i noticed it and fix the issue. I should not try to close current thread via getSession(sessionId).logout. it causing session can not be found before current thread end. anyway, thanks. — Paris Tao, Apr 08 '14 at 00:06
this does not work for me. I use 'apache Shiro' with JSP servlet and Shiro is used with browser popup login. — Madhuka Dilhan, Jun 27 '19 at 11:38

how to close shiro session

1 Answers1