Hi Jason,
First, this would only be possible if using Shiro's native session
support. There is no way to do this using the default servlet
container sessions.
The state of a subject is bound to a thread and/or a Session (if
they're authenticated and sessions are enabled).
To log out all authenticated subjects you need to:
1. Clear out the session cache entirely.
2. Do either of the following:
a. Delete all active sessions in the backing Session data store
(used by the SessionDAO), or
b. Update all active sessions' stoppedTimestamp to be the current
time in the backing Session data store.
1 and 2.a. are the common approaches. 2.b. is only done if you store
and delete sessions manually from your data store outside of Shiro's
control.
You could do this if using Shiro's native session management and
you're using a SessionDAO that talks to a datastore that allows you to
do bulk updates.
Finally note that 'rememberMe' users will still be remembered as long
as their rememberMe cookie exists. If you delete any remembered
Subject's session, they will still be remembered on the next request
(and likely a new session will be created to store the rememberMe
value). They just won't be authenticated.
HTH,
Les
On Wed, Nov 16, 2011 at 9:25 AM, Jason Davis <[email protected]> wrote:
> Hello,
> How can I log out all subjects? I can only find how to get the
> 'active' subject. I'd like to get a list of them all, or just be able
> to log them all out. Is this possible?
>
> Thanks,
> Jason
