Hi Bengt, How do you plan on doing checkLogin ?
If you use subject.isAuthenticated() , it does not touch the session. If you use an authenticationFilter like the FormAuthenticationFilter, it can detect that the session has timed out and redirect the request to a login url Manoj On Tue, Nov 8, 2011 at 11:59 AM, Bengt Rodehav <[email protected]> wrote: > Seems like I've been bombarding this list lately. I'm quite new to Shiro > which is why I ask all these silly questions. Must say that I'm very pleased > so far. Shiro has turned out to be much easier to use then Spring Acegi that > I have been using in the past. > Anyway, I'm using Shiro 1.1 to handle authentication for an OSGi based web > application using the http service in Apache Karaf. > Currently my web application will return status 401 when trying to access > resources that requires an authenticated user in case the session does not > contain an authenticated user. I would like to enhance the web application > so that the client (the browser) can periodically (e g once a minut) can > check whether a user is still logged in. That way, if a user leaves the > application for a while, I can display a login dialog so that the user can > clearly see that s/he has been logged out. > The problem is that if the client calls my "checkLogin" method in the > context of the current session once a minute then the session will never > time out since the last used timestamp will be updated on each call. Is > there a best practice to accomplish this? I'm not sure if it's possible to > make a call "outside" of the session. I was thinking about saving the last > used timestamp in another session attribute and then restore the real last > used timestamp from my special attribute after invoking my "checkLogin" > method. Not sure if that would work and thought it might be wise to ask if > anyone has done something similar before. > /Bengt -- http://khangaonkar.blogspot.com/
