Reputation: 445
Apache Shiro session management on Spring
I am newbie to both Spring and Shiro. I have some questions on Session Management.
I saw a question which gives quite a good introduction to Session Management.
But what I did not understand is, how does Shiro communicate with the client to pass the session information, and how will the client authenticate itself again over the subsequent requests. Does Shiro pass a session ID automatically, without me having to code for it?
- Does browser automatically store the session IDs and send it (may be over HTTPS) with subsequent requests?
- How does the session logout communicated to the client? And how does the client understand that it has to login again?
Thanks!
Upvotes: 2
Views: 1541
Answers (1)
Reputation: 24040
The session ID is stored as a browser cookie.
The session ID cookie is removed from the browser when the user logs out (and the session is invalidated on the server). Requests made after the cookie is dropped will appear to Shiro to be coming from an anonymous user, so Shiro will redirect the browser to a login page if they try to request a URL that requires you to be logged in.
Upvotes: 2
Related Questions
- How to add Shiro SessionListener when Shiro is used with Spring and web filter?
- Shiro: Session already invalidated
- Concurrent Session Control in Shiro
- Shiro authentication with sessionId or username+password
- apache Shiro Login
- Apache shiro and JSESSIONID
- Apache Shiro authentication customization
- Apache Shiro Login not working as intended (Session get created before login)
- Shiro HttpSession in SessionListener?
- Logout in Apache Shiro