Thanks a lot Les. I have seen your posts on the grails mailing list while searching about this. Do you know how to get the session dao in grails when using the default session setup?
Thanks A lot! Jason On Wed, Nov 16, 2011 at 1:18 PM, Les Hazlewood <[email protected]> wrote: > Hi Jason, > > My brain must be muddy today - your solution is simpler and should > work fine. I don't know why I jumped right to the more complicated > solution! > > That should be good enough but you will need to persist the state > change back to the data store so invalidated sessions can be cleaned > up as necessary. > > For example, by using the SessionManager's underlying SessionDAO: > > Collection<Session> activeSessions = sessionDAO.getActiveSessions(); > for( Session s : activeSessions ) { > s.invalidate(); > sessionDAO.update(s); > } > > HTH! > > Cheers, > > Les > > On Wed, Nov 16, 2011 at 10:35 AM, Jason Davis <[email protected]> wrote: >> Thanks for the reply! >> If I have a list of all sessions can I invalidate() them all and be >> done? Or would that not be enough to log them out? >> >> Thanks! >> Jason Davis >> >> On Wed, Nov 16, 2011 at 11:27 AM, Les Hazlewood <[email protected]> >> wrote: >>> Hi Jason, >>> >>> First, this would only be possible if using Shiro's native session >>> support. There is no way to do this using the default servlet >>> container sessions. >>> >>> The state of a subject is bound to a thread and/or a Session (if >>> they're authenticated and sessions are enabled). >>> >>> To log out all authenticated subjects you need to: >>> >>> 1. Clear out the session cache entirely. >>> 2. Do either of the following: >>> a. Delete all active sessions in the backing Session data store >>> (used by the SessionDAO), or >>> b. Update all active sessions' stoppedTimestamp to be the current >>> time in the backing Session data store. >>> >>> 1 and 2.a. are the common approaches. 2.b. is only done if you store >>> and delete sessions manually from your data store outside of Shiro's >>> control. >>> >>> You could do this if using Shiro's native session management and >>> you're using a SessionDAO that talks to a datastore that allows you to >>> do bulk updates. >>> >>> Finally note that 'rememberMe' users will still be remembered as long >>> as their rememberMe cookie exists. If you delete any remembered >>> Subject's session, they will still be remembered on the next request >>> (and likely a new session will be created to store the rememberMe >>> value). They just won't be authenticated. >>> >>> HTH, >>> >>> Les >>> >>> On Wed, Nov 16, 2011 at 9:25 AM, Jason Davis <[email protected]> wrote: >>>> Hello, >>>> How can I log out all subjects? I can only find how to get the >>>> 'active' subject. I'd like to get a list of them all, or just be able >>>> to log them all out. Is this possible? >>>> >>>> Thanks, >>>> Jason >
