Thanks for the reply! If I have a list of all sessions can I invalidate() them all and be done? Or would that not be enough to log them out?
Thanks! Jason Davis On Wed, Nov 16, 2011 at 11:27 AM, Les Hazlewood <[email protected]> wrote: > Hi Jason, > > First, this would only be possible if using Shiro's native session > support. There is no way to do this using the default servlet > container sessions. > > The state of a subject is bound to a thread and/or a Session (if > they're authenticated and sessions are enabled). > > To log out all authenticated subjects you need to: > > 1. Clear out the session cache entirely. > 2. Do either of the following: > a. Delete all active sessions in the backing Session data store > (used by the SessionDAO), or > b. Update all active sessions' stoppedTimestamp to be the current > time in the backing Session data store. > > 1 and 2.a. are the common approaches. 2.b. is only done if you store > and delete sessions manually from your data store outside of Shiro's > control. > > You could do this if using Shiro's native session management and > you're using a SessionDAO that talks to a datastore that allows you to > do bulk updates. > > Finally note that 'rememberMe' users will still be remembered as long > as their rememberMe cookie exists. If you delete any remembered > Subject's session, they will still be remembered on the next request > (and likely a new session will be created to store the rememberMe > value). They just won't be authenticated. > > HTH, > > Les > > On Wed, Nov 16, 2011 at 9:25 AM, Jason Davis <[email protected]> wrote: >> Hello, >> How can I log out all subjects? I can only find how to get the >> 'active' subject. I'd like to get a list of them all, or just be able >> to log them all out. Is this possible? >> >> Thanks, >> Jason >
