Shiro: Cannot invalidate HttpSession

Question

I have a Shiro session (id=11111) and a http session (id=22222).

When I try to invalidate the HttpSession, the wrong id is used.

Code:

public void logout() {
      SecurityUtils.getSubject().logout();

// exception is thrown in this line
FacesContext.getCurrentInstance().getExternalContext().invalidateSession();
    }

Exception:

java.lang.IllegalStateException:
 org.apache.shiro.session.UnknownSessionException:
 There is no session with id [22222]

How can I invalidate the HttpSession or rather set the correct id?

The complete stack trace would be useful – Steve C Aug 10 '15 at 12:38 — Steve C, Aug 10 '15 at 12:38

sinclair · Accepted Answer · 2015-08-11T08:45:41.677

1

The problem was solved by implementing a HttpSessionBindingListener and create a mapping of Shiro sessions to http sessions.

edited Aug 11 '15 at 08:45

answered Aug 11 '15 at 08:35

sinclair

2,812
4
24
53

score 0 · Answer 2 · answered Apr 06 '17 at 08:41

0

SecurityUtils.getSubject().logout() stop and invalidate the session from DefaultSecurityManager.logout(Subject subject). So the session could not be invalidated after logout() call.

answered Apr 06 '17 at 08:41

jpl

347
3
11

Shiro: Cannot invalidate HttpSession

2 Answers2