Jsessionid cookie doesn't expire after Chrome closing

StackOverflow https://stackoverflow.com/questions/22770980

Question

I use Shiro framework for authentication.

The problem is: when I close Chrome browser and open it again I still can get access to protected URLs. If I delete jsessionid cookie by hand all is ok, access to protected URLs becomes forbidden. In the settings of jsessionid I see: Expires: When the browsing session ends. So, it should be expired, but it doesn't. Also I did this manipulation in firefox and have no that problems. I have no idea even which way investigate for.

P.S. I don't use shiro remember-me functionality. But, any way, while using, Shiro create another cookie (that named rememberMe).

Was it helpful?

Solution

This is a known behavior on Chrome. Nothing to do with Apache Shiro. Here is the link:

https://productforums.google.com/forum/#!topic/chrome/9l-gKYIUg50/discussion

Think Google has marked this as WONTFIX, so most likely we will have to live with this. To counter this, I set the max-age to some acceptable value so that FF and Chrome can have the same behavior. Otherwise, while FF logs me off when the window closes, Chrome may continue to keep the session for whatever length it decides.

Another way is to trigger Session validation in Shiro to harvest all expired session in Shiro and invalidate them. That way, any client trying to login with an expired session will be told so. At that point you may choose to redirect the user to the login page.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top