Apache Shiro session management on Spring

2
votes

I am newbie to both Spring and Shiro. I have some questions on Session Management.

I saw a question which gives quite a good introduction to Session Management.

But what I did not understand is, how does Shiro communicate with the client to pass the session information, and how will the client authenticate itself again over the subsequent requests. Does Shiro pass a session ID automatically, without me having to code for it?

  1. Does browser automatically store the session IDs and send it (may be over HTTPS) with subsequent requests?
  2. How does the session logout communicated to the client? And how does the client understand that it has to login again?

Thanks!

1
javaspringshiro

1 Answers

2
votes

  1. The session ID is stored as a browser cookie.

  2. The session ID cookie is removed from the browser when the user logs out (and the session is invalidated on the server). Requests made after the cookie is dropped will appear to Shiro to be coming from an anonymous user, so Shiro will redirect the browser to a login page if they try to request a URL that requires you to be logged in.