Shiro resets the session after 2 min

Question

I am using Apache Shiro in my webapp.

I store some parameters in the session notably the primary key of an object stored in the database.

When the user logs in, I load the object from the database and save the primary key in the session. Then within the app the user can edit the object's data and either hit a cancel or a save button.

Both buttons triggers a RPC that gets the updated data to the server. The object is then updated in the database using the primary key stored in the session.

If the user remains active in the app (making some RPCs) everything works fine. But if he stays inactive for 3 min and subsequently makes a RPC then Shiro's securityUtils.getSubject().getSession() returns null.

The session timeout is set to 1,200,000 ms (20 min) so I don't think this is the issue.

When I go through the sessions stored in the cache of my session manager I can see the user's session org.apache.shiro.session.mgt.SimpleSession,id=6de78f10-b58e-496c-b40a-e2a9a4ad069c but when I try to get the session ID from the cookie and to call SecurityUtils.getSecurityManager().getSession(key) to get the session (where key is a SessionKey implementation): I get an exception.

When I try building a new subject from the session ID I lose all the attributes saved in the session.

I am happy to post some code to help resolve the issue but I tried so many workarounds that I don't know where to start... So please let me know what you need.

Alternatively if someone knows a better documented framework than Shiro I am all ears (Shiro's lack of documentation makes it really too time consuming)

Answer 1

The issue was related to the session config in the ini file. As usual with shiro the order mattered and some of my lines were out of place.

Below is the config that worked for me:

sessionDAO = org.apache.shiro.session.mgt.eis.EnterpriseCacheSessionDAO
#sessionDAO.activeSessionsCacheName = dropship-activeSessionCache
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
sessionManager.sessionDAO = $sessionDAO
# cookie for single sign on 
cookie = org.apache.shiro.web.servlet.SimpleCookie 
cookie.name = www.foo.com.session 
cookie.path = / 
sessionManager.sessionIdCookie = $cookie
# 1,800,000 milliseconds = 30 mins
sessionManager.globalSessionTimeout = 1800000
sessionValidationScheduler =
org.apache.shiro.session.mgt.ExecutorServiceSessionValidationScheduler
sessionValidationScheduler.interval = 1800000
sessionManager.sessionValidationScheduler = $sessionValidationScheduler
securityManager.sessionManager = $sessionManager
cacheManager = org.apache.shiro.cache.ehcache.EhCacheManager
securityManager.cacheManager = $cacheManager