[jira] [Comment Edited] (SHIRO-613) StoppedSessionException: Session with id has been explicitly stopped. No further interaction under this session is allowed.

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

[jira] [Comment Edited] (SHIRO-613) StoppedSessionException: Session with id has been explicitly stopped. No further interaction under this session is allowed.

JIRA jira@apache.org

    [ https://issues.apache.org/jira/browse/SHIRO-613?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15875930#comment-15875930 ]

sreenivas Harshith edited comment on SHIRO-613 at 2/21/17 1:04 PM:
-------------------------------------------------------------------

[~bdemers]


Found the Issue. The issue was with this SecurityUtils.getSubject() method I used to acquire the current executing user. This method uses ThreadContext and I guess the subject is getting shared across threads as I am Using TomEE With Http-Nio. After I login some 5 times, the next call to login again SecurityUtils.getSubject().IsAuthenticated() returns true even before I call this  login(token); and when i check the principals its the same User. I changed it to
Subject currentUser = new Subject.Builder().buildSubject();
After this change I am getting unique Session Id for each login Attempt and even if some sessions are expired its not complaining.



was (Author: sreenivash09):
[~bdemers]




> StoppedSessionException: Session with id has been explicitly stopped.  No further interaction under this session is allowed.
> ----------------------------------------------------------------------------------------------------------------------------
>
>                 Key: SHIRO-613
>                 URL: https://issues.apache.org/jira/browse/SHIRO-613
>             Project: Shiro
>          Issue Type: Bug
>          Components: Authentication (log-in), Session Management
>    Affects Versions: 1.3.2
>            Reporter: sreenivas Harshith
>              Labels: Sessiontimeout, StoppedSessionException, login, session
>
> I am using default shiro native session manager and Session DAO backed by Db store for storing sessions. I have set the session timeout to 10 min and I have the same user login multiple times, say 8 times. Once the session is expired I tried to login with same user credentials from a different client and shiro is calling this delete(Session sn) method implemented in my DAO to delete those old sessions that are expired. Once the deletion is completed it throws an exception with the deleted Session id saying org.apache.shiro.session.StoppedSessionException: Session with id [a9dd97a1-90d4-435c-b363-f74052dfa0dc] has been explicitly stopped.  No further interaction under this session is allowed, and  it fails to login the user.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
Reply | Threaded
Open this post in threaded view
|

Re: [jira] [Comment Edited] (SHIRO-613) StoppedSessionException: Session with id has been explicitly stopped. No further interaction under this session is allowed.

Jim Manico
Threadlocal and similar in Tomcat is problematic. I had to drop
Threadlocal optimization from the OWASP Java Encoder (which sped it up
dramatically) because of Tomcat.

I am not sure if this is relevant, but though I'd drop this note anyhow.

Aloha, Jim


On 2/21/17 3:04 AM, sreenivas Harshith (JIRA) wrote:

>     [ https://issues.apache.org/jira/browse/SHIRO-613?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15875930#comment-15875930 ]
>
> sreenivas Harshith edited comment on SHIRO-613 at 2/21/17 1:04 PM:
> -------------------------------------------------------------------
>
> [~bdemers]
>
>
> Found the Issue. The issue was with this SecurityUtils.getSubject() method I used to acquire the current executing user. This method uses ThreadContext and I guess the subject is getting shared across threads as I am Using TomEE With Http-Nio. After I login some 5 times, the next call to login again SecurityUtils.getSubject().IsAuthenticated() returns true even before I call this  login(token); and when i check the principals its the same User. I changed it to
> Subject currentUser = new Subject.Builder().buildSubject();
> After this change I am getting unique Session Id for each login Attempt and even if some sessions are expired its not complaining.
>
>
>
> was (Author: sreenivash09):
> [~bdemers]
>
>
>
>
>> StoppedSessionException: Session with id has been explicitly stopped.  No further interaction under this session is allowed.
>> ----------------------------------------------------------------------------------------------------------------------------
>>
>>                 Key: SHIRO-613
>>                 URL: https://issues.apache.org/jira/browse/SHIRO-613
>>             Project: Shiro
>>          Issue Type: Bug
>>          Components: Authentication (log-in), Session Management
>>    Affects Versions: 1.3.2
>>            Reporter: sreenivas Harshith
>>              Labels: Sessiontimeout, StoppedSessionException, login, session
>>
>> I am using default shiro native session manager and Session DAO backed by Db store for storing sessions. I have set the session timeout to 10 min and I have the same user login multiple times, say 8 times. Once the session is expired I tried to login with same user credentials from a different client and shiro is calling this delete(Session sn) method implemented in my DAO to delete those old sessions that are expired. Once the deletion is completed it throws an exception with the deleted Session id saying org.apache.shiro.session.StoppedSessionException: Session with id [a9dd97a1-90d4-435c-b363-f74052dfa0dc] has been explicitly stopped.  No further interaction under this session is allowed, and  it fails to login the user.
>
>
> --
> This message was sent by Atlassian JIRA
> (v6.3.15#6346)

Reply | Threaded
Open this post in threaded view
|

Re: [jira] [Comment Edited] (SHIRO-613) StoppedSessionException: Session with id has been explicitly stopped. No further interaction under this session is allowed.

Brian Demers
Thanks Jim!

On Tue, Feb 21, 2017 at 3:03 PM, Jim Manico <[hidden email]> wrote:

> Threadlocal and similar in Tomcat is problematic. I had to drop
> Threadlocal optimization from the OWASP Java Encoder (which sped it up
> dramatically) because of Tomcat.
>
> I am not sure if this is relevant, but though I'd drop this note anyhow.
>
> Aloha, Jim
>
>
> On 2/21/17 3:04 AM, sreenivas Harshith (JIRA) wrote:
> >     [ https://issues.apache.org/jira/browse/SHIRO-613?page=
> com.atlassian.jira.plugin.system.issuetabpanels:comment-
> tabpanel&focusedCommentId=15875930#comment-15875930 ]
> >
> > sreenivas Harshith edited comment on SHIRO-613 at 2/21/17 1:04 PM:
> > -------------------------------------------------------------------
> >
> > [~bdemers]
> >
> >
> > Found the Issue. The issue was with this SecurityUtils.getSubject()
> method I used to acquire the current executing user. This method uses
> ThreadContext and I guess the subject is getting shared across threads as I
> am Using TomEE With Http-Nio. After I login some 5 times, the next call to
> login again SecurityUtils.getSubject().IsAuthenticated() returns true
> even before I call this  login(token); and when i check the principals its
> the same User. I changed it to
> > Subject currentUser = new Subject.Builder().buildSubject();
> > After this change I am getting unique Session Id for each login Attempt
> and even if some sessions are expired its not complaining.
> >
> >
> >
> > was (Author: sreenivash09):
> > [~bdemers]
> >
> >
> >
> >
> >> StoppedSessionException: Session with id has been explicitly stopped.
> No further interaction under this session is allowed.
> >> ------------------------------------------------------------
> ----------------------------------------------------------------
> >>
> >>                 Key: SHIRO-613
> >>                 URL: https://issues.apache.org/jira/browse/SHIRO-613
> >>             Project: Shiro
> >>          Issue Type: Bug
> >>          Components: Authentication (log-in), Session Management
> >>    Affects Versions: 1.3.2
> >>            Reporter: sreenivas Harshith
> >>              Labels: Sessiontimeout, StoppedSessionException, login,
> session
> >>
> >> I am using default shiro native session manager and Session DAO backed
> by Db store for storing sessions. I have set the session timeout to 10 min
> and I have the same user login multiple times, say 8 times. Once the
> session is expired I tried to login with same user credentials from a
> different client and shiro is calling this delete(Session sn) method
> implemented in my DAO to delete those old sessions that are expired. Once
> the deletion is completed it throws an exception with the deleted Session
> id saying org.apache.shiro.session.StoppedSessionException: Session with
> id [a9dd97a1-90d4-435c-b363-f74052dfa0dc] has been explicitly stopped.
> No further interaction under this session is allowed, and  it fails to
> login the user.
> >
> >
> > --
> > This message was sent by Atlassian JIRA
> > (v6.3.15#6346)
>
>