Seems like I've been bombarding this list lately. I'm quite new to Shiro which is why I ask all these silly questions. Must say that I'm very pleased so far. Shiro has turned out to be much easier to use then Spring Acegi that I have been using in the past.
Anyway, I'm using Shiro 1.1 to handle authentication for an OSGi based web application using the http service in Apache Karaf. Currently my web application will return status 401 when trying to access resources that requires an authenticated user in case the session does not contain an authenticated user. I would like to enhance the web application so that the client (the browser) can periodically (e g once a minut) can check whether a user is still logged in. That way, if a user leaves the application for a while, I can display a login dialog so that the user can clearly see that s/he has been logged out. The problem is that if the client calls my "checkLogin" method in the context of the current session once a minute then the session will never time out since the last used timestamp will be updated on each call. Is there a best practice to accomplish this? I'm not sure if it's possible to make a call "outside" of the session. I was thinking about saving the last used timestamp in another session attribute and then restore the real last used timestamp from my special attribute after invoking my "checkLogin" method. Not sure if that would work and thought it might be wise to ask if anyone has done something similar before. /Bengt
