shiro

Does Shiro offer extended duration cookie authentication?


I would like to enable extended (virtually forever) authentication for my web/mobile application, similar to how many popular sites operate (e.g. Facebook), virtually never needing to re-log in unless your credentials are changed from another terminal or the session is deliberately ended server-side. I am currently evaluating Apache Shiro. I have not yet been able to find a way to support dropping a cookie with some kind of access token that would be submitted every time the site is revisited so that the user does not need to log in again. Is there a way to do it?


Solution

  • Yes, You can configure the session cookie's MaxAge: https://shiro.apache.org/web.html#session_cookie

    Using the bean properties of the cookie: https://shiro.apache.org/static/current/apidocs/org/apache/shiro/web/servlet/SimpleCookie.html

    I'm not sure I'm following the last bit about access tokens and cookies though.

    Typically, using a session cookie is default functionality for web apps running on most Java Servlet containers (this differs once you get into REST API frameworks)