shiro cookie

My Shiro Journey: Ten Custom Shiro SessionIdCookie Category: shiro
| Author: lhacker Related | Release Date: 2014-11-12 |
The sessionId is often changed for no reason, and then the There is no session with id [xxxx] exception is thrown. We know that when the request comes, after Shiro creates a session, it will write the sessionId back to the client's cookie. When every two requests come, shiro will get the sessionId in the cookie to find it. If it can't find it, it may throw an exception of There is no session with id. By throwing this exception, there will be two situations. One is what I just said, the cookie has been rewritten, because the default cookie name of shiro is JSESSIONID. When the request interception configured in web.xml is unreasonable, it will may be rewritten. In my project, because some static resources are configured not to be intercepted, this cookie will be rewritten by the container. Later, simply changed the name of the cookie, no longer called JSESSIONID. Another is that the browser has not been operated for a long time, and then Shiro regularly clears the inactive session. At this time, the browser sends a request again. Because the session has been cleared, it will also throw There is no session with id. Change the name of the cookie as follows:

01
   <bean id="shiroSessionManager" class="org.apache.shiro.web.session.mgt.DefaultWebSessionManager">
02
    <property name="sessionDAO" ref="sessionDAO"/>
03
    <!-- <property name="sessionValidationScheduler" ref="shiroSessionValidationScheduler"/> -->
04
    <property name="sessionValidationInterval" value="1800000"/>  <!-- 相隔多久检查一次session的有效性 -->
05
    <property name="globalSessionTimeout" value="1800000"/>  <!-- session 有效时间为半小时 （毫秒单位）-->
06
    <property name="sessionIdCookie.domain" value=".xxx.com"/>
07
    <property name="sessionIdCookie.name" value="jsid"/>
08
    <property name="sessionIdCookie.path"value="/"/>
09
    <!-- <property name="sessionListeners">
10
        <list>
11
            <bean class="com.concom.security.interfaces.listener.SessionListener"/>
12
        </list>
13
    </property> -->
14
</bean>

We can know by opening shiro's DefaultWebSessionManager class source code, which contains A private Cookie sessionIdCookie; attribute, this is the sessionId cookie. In the constructor of DefaultWebSessionManager, the initialized name is ShiroHttpSession.DEFAULT_SESSION_ID_NAME, which is "JSESSIONID", here we don't change the source code, just change the attribute of sessionIdCookie through spring.
1
public DefaultWebSessionManager() {
2
        Cookie cookie = new SimpleCookie(ShiroHttpSession.DEFAULT_SESSION_ID_NAME);
3
        cookie.setHttpOnly(true); //more secure, protects against XSS attacks
4
        this.
5
        this.sessionIdCookieEnabled = true;
6
    }


In the above xml configuration, the value of sessionIdCookie.domain is written as .xxx.com, which depends on your own project. The configuration here is that a domain name and its second-level domain name can share this cookie. There is also sessionIdCookie.name, which is the name of the cookie and the value is jsid. In this way, we can see that the cookie will have an additional name jsid, and the value is the key value of the id of the current session. There are also two configurations about the session validity period. One is sessionValidationInterval, which indicates how often Shiro's timer checks the validity of the session, and the other is globalSessionTimeout, which indicates the valid duration of the session. Of course, we can also define the timer and inject the timer into the sessionValidationScheduler property of DefaultWebSessionManager, but I personally think it is not necessary.