3

I am using Apache Shiro in a web-application. The login and authentication check works well, but I have a problem to implement a logout / re-login mechanism: The logout is done in a servlet: 

    private void logout(HttpServletRequest req, HttpServletResponse resp)
        throws ServletException, IOException {
            log.debug("do logout");
            Subject subject = SecurityUtils.getSubject();
            subject.logout();
            resp.sendRedirect("end.html");
    }

But after a logout and re-login I get the following error:

org.apache.shiro.session.InvalidSessionException: java.lang.IllegalStateException:
  getAttribute: Session already invalidated
  at org.apache.shiro.web.session.HttpServletSession.removeAttribute(HttpServletSession.java:167)
at org.apache.shiro.session.ProxiedSession.removeAttribute(ProxiedSession.java:135)
at org.apache.shiro.subject.support.DelegatingSubject.clearRunAsIdentities(DelegatingSubject.java:424)
at org.apache.shiro.subject.support.DelegatingSubject.login(DelegatingSubject.java:246)

The login is done in the following way (in a method of a UI component, I use ZK as UI framework):

  private void tryLogin(UsernamePasswordToken token) {
        Subject subject = SecurityUtils.getSubject();
        try {
              subject.login(token);
              ...

I do not understand the exception as the logout from shiro invalidates the session and the re-login should access a new session.

Zoe
  • 27,060
  • 21
  • 118
  • 148
Michael
  • 4,722
  • 6
  • 37
  • 58

2 Answers2

3

This will occur in Shiro before version 1.2 if someone (or something else) invalidates the session before Subject.logout() is invoked (e.g. httpSession.invalidate() and then subject.logout()).

This has been raised as a bug in SHIRO-298 and it has already been resolved in 1.2.0-SNAPSHOT builds. You can use one of the current snapshot builds or use Shiro 1.2.0 when it is released.

Zoe
  • 27,060
  • 21
  • 118
  • 148
Les Hazlewood
  • 18,480
  • 13
  • 68
  • 76
  • Hi, I'm using shiro version `1.2.4`, still getting the same issue ` getAttribute: Session already invalidated` after a logout and re-login. Any help? – Newbie Jan 29 '16 at 19:11
1

it looks like your UI framework is not regenerating the session after logout. You can try to force a new the session calling subject.getSession() just before the login call. Something like this:

private void tryLogin(UsernamePasswordToken token) {
        Subject subject = SecurityUtils.getSubject();
        Session session = subject.getSession();
        try {
              subject.login(token);
ascandroli
  • 3,309
  • 1
  • 14
  • 15