We've been using Apache Shiro for some time, with no problems, but have recently noticed users getting the following error when they attempt to login or just after they logout of our application:
java.lang.IllegalArgumentException: The org.apache.shiro.session.mgt.DelegatingSession implementation requires that the SessionKey argument returns a non-null sessionId to support the Session.getId() invocations.
What could be causing this?
Turns out the problem was exactly what the error message stated - we were missing an "id" field in our session data.
How did this happen? We have multiple applications that read and write out our session data, which is stored in Redis to support single sign on.
One of the applications writing to this store was writing out our session data as json without an "id" attribute, which corresponds to the session id stored in the cookie.
So for example, the bad session data looked like this:
{
"lastAccessTime": "2016-09-21T12:35:00.018526Z",
"startTimestamp": "2016-09-21T12:35:00.018526Z",
"timeout": 1800000
}
and good session data looks like this (at a minimum) - note that there's an "id" attribute, that matches the session id stored in the session cookie.
{
"id": "f9b4f222-2660-4318-aae9-ba5f455d560",
"lastAccessTime": "2016-09-21T12:40:44.813222Z",
"startTimestamp": "2016-09-21T12:40:42.592Z",
"timeout": 1800000
}
So all we had to do was get that app to add in the "id" attribute, and it fixed the problem!