Class MemorySessionDAO

  • All Implemented Interfaces:

    public class MemorySessionDAO
    extends AbstractSessionDAO
    Simple memory-based implementation of the SessionDAO that stores all of its sessions in an in-memory ConcurrentMap. This implementation does not page to disk and is therefore unsuitable for applications that could experience a large amount of sessions and would therefore cause OutOfMemoryExceptions. It is not recommended for production use in most environments.

    Memory Restrictions

    If your application is expected to host many sessions beyond what can be stored in the memory available to the JVM, it is highly recommended to use a different SessionDAO implementation which uses a more expansive or permanent backing data store.

    In this case, it is recommended to instead use a custom CachingSessionDAO implementation that communicates with a higher-capacity data store of your choice (file system, database, etc).

    Changes in 1.0

    This implementation prior to 1.0 used to subclass the CachingSessionDAO, but this caused problems with many cache implementations that would expunge entries due to TTL settings, resulting in Sessions that would be randomly (and permanently) lost. The Shiro 1.0 release refactored this implementation to be 100% memory-based (without Cache usage to avoid this problem.
    See Also:
    • Method Detail

      • doCreate

        protected Serializable doCreate​(Session session)
        Description copied from class: AbstractSessionDAO
        Subclass hook to actually persist the given Session instance to the underlying EIS.
        Specified by:
        doCreate in class AbstractSessionDAO
        session - the Session instance to persist to the EIS.
        the id of the session created in the EIS (i.e. this is almost always a primary key and should be the value returned from Session.getId().
      • doReadSession

        protected Session doReadSession​(Serializable sessionId)
        Description copied from class: AbstractSessionDAO
        Subclass implementation hook that retrieves the Session object from the underlying EIS or null if a session with that ID could not be found.
        Specified by:
        doReadSession in class AbstractSessionDAO
        sessionId - the id of the Session to retrieve.
        the Session in the EIS identified by sessionId or null if a session with that ID could not be found.
      • update

        public void update​(Session session)
                    throws UnknownSessionException
        Description copied from interface: SessionDAO
        Updates (persists) data from a previously created Session instance in the EIS identified by {@link Session#getId() session.getId()}. This effectively propagates the data in the argument to the EIS record previously saved.

        In addition to UnknownSessionException, implementations are free to throw any other exceptions that might occur due to integrity violation constraints or other EIS related errors.

        session - the Session to update
        UnknownSessionException - if no existing EIS session record exists with the identifier of session.getSessionId()
      • delete

        public void delete​(Session session)
        Description copied from interface: SessionDAO
        Deletes the associated EIS record of the specified session. If there never existed a session EIS record with the identifier of session.getId(), then this method does nothing.
        session - the session to delete.
      • getActiveSessions

        public Collection<SessiongetActiveSessions()
        Description copied from interface: SessionDAO
        Returns all sessions in the EIS that are considered active, meaning all sessions that haven't been stopped/expired. This is primarily used to validate potential orphans.

        If there are no active sessions in the EIS, this method may return an empty collection or null.


        This method should be as efficient as possible, especially in larger systems where there might be thousands of active sessions. Large scale/high performance implementations will often return a subset of the total active sessions and perform validation a little more frequently, rather than return a massive set and validate infrequently. If efficient and possible, it would make sense to return the oldest unstopped sessions available, ordered by lastAccessTime.

        Smart Results

        Ideally this method would only return active sessions that the EIS was certain should be invalided. Typically that is any session that is not stopped and where its lastAccessTimestamp is older than the session timeout.

        For example, if sessions were backed by a relational database or SQL-92 'query-able' enterprise cache, you might return something similar to the results returned by this query (assuming SimpleSessions were being stored):

         select * from sessions s where s.lastAccessTimestamp < ? and s.stopTimestamp is null
        where the ? parameter is a date instance equal to 'now' minus the session timeout (e.g. now - 30 minutes).
        a Collection of Sessions that are considered active, or an empty collection or null if there are no active sessions.