0
# Session Management
1
2
Web session management components for Apache Shiro including servlet container session delegation, native Shiro session management, cookie-based session IDs, and session context management. These classes provide flexible session management strategies for web applications.
3
4
## Capabilities
5
6
### Web Session Manager Interface
7
8
```java { .api }
9
interface WebSessionManager extends SessionManager {
10
/**
11
* Returns whether this session manager uses servlet container sessions.
12
*
13
* @return true if using servlet container sessions
14
*/
15
boolean isServletContainerSessions();
16
}
17
```
18
19
### Default Web Session Manager
20
21
```java { .api }
22
class DefaultWebSessionManager extends DefaultSessionManager implements WebSessionManager {
23
public DefaultWebSessionManager();
24
25
public boolean isServletContainerSessions();
26
27
public Cookie getSessionIdCookie();
28
public void setSessionIdCookie(Cookie cookie);
29
30
public boolean isSessionIdUrlRewritingEnabled();
31
public void setSessionIdUrlRewritingEnabled(boolean enabled);
32
33
protected Serializable getSessionId(ServletRequest request, ServletResponse response);
34
35
protected void storeSessionId(Serializable currentId, ServletRequest request, ServletResponse response);
36
}
37
```
38
39
### Servlet Container Session Manager
40
41
```java { .api }
42
class ServletContainerSessionManager implements WebSessionManager {
43
public ServletContainerSessionManager();
44
45
public boolean isServletContainerSessions();
46
47
public Session start(SessionContext context);
48
public Session getSession(SessionKey key) throws SessionException;
49
50
public Collection<Session> getActiveSessions();
51
}
52
```
53
54
### Session Creation Control Filter
55
56
Filter for controlling session creation behavior in web applications, particularly useful for REST/API endpoints that should not create sessions.
57
58
```java { .api }
59
class NoSessionCreationFilter extends PathMatchingFilter {
60
/**
61
* Creates a new NoSessionCreationFilter that prevents session creation.
62
*/
63
public NoSessionCreationFilter();
64
65
/**
66
* Disables session creation for the current request by setting the
67
* SESSION_CREATION_ENABLED attribute to false.
68
*
69
* @param request the servlet request
70
* @param response the servlet response
71
* @param mappedValue the path-specific configuration
72
* @return true to continue filter chain processing
73
*/
74
protected boolean onPreHandle(ServletRequest request, ServletResponse response, Object mappedValue) throws Exception;
75
}
76
```
77
78
## Usage Examples
79
80
### Session Manager Configuration
81
82
```java
83
public void configureSessionManagement() {
84
DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
85
86
// Native Shiro session management
87
DefaultWebSessionManager sessionManager = new DefaultWebSessionManager();
88
sessionManager.setGlobalSessionTimeout(30 * 60 * 1000); // 30 minutes
89
sessionManager.setSessionIdUrlRewritingEnabled(false);
90
91
// Configure session ID cookie
92
SimpleCookie sessionCookie = new SimpleCookie("JSESSIONID");
93
sessionCookie.setHttpOnly(true);
94
sessionCookie.setSecure(true);
95
sessionManager.setSessionIdCookie(sessionCookie);
96
97
securityManager.setSessionManager(sessionManager);
98
}
99
```
100
101
### Session-less API Configuration
102
103
```java
104
public void configureSessionlessAPIs() {
105
DefaultFilterChainManager filterChainManager = new DefaultFilterChainManager();
106
107
// API endpoints should not create sessions
108
filterChainManager.createChain("/api/**", "noSessionCreation, authcBasic");
109
filterChainManager.createChain("/rest/**", "noSessionCreation, authcBearer");
110
111
// Regular web paths can create sessions
112
filterChainManager.createChain("/web/**", "authc");
113
filterChainManager.createChain("/**", "anon");
114
115
PathMatchingFilterChainResolver resolver = new PathMatchingFilterChainResolver();
116
resolver.setFilterChainManager(filterChainManager);
117
}
118
```