ServletContainerSessionManager isn’t a ValidatingSessionManager ; does it defer to the underlying container to handle

Question

0

Asked: June 12, 20262026-06-12T21:45:26+00:00 2026-06-12T21:45:26+00:00

ServletContainerSessionManager isn’t a ValidatingSessionManager ; does it defer to the underlying container to handle

0

ServletContainerSessionManager isn’t a ValidatingSessionManager; does it defer to the underlying container to handle orphan cleanup? That doesn’t seem right.

I assume that switching to DefaultWebSessionManager, as it’s a full-featured implementation, would have no risks or drawbacks?
Is there any reason that’s not the default for this module?

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-06-12T21:45:28+00:00

ServletContainerSessionManager does indeed defer to the container for all session related functionality. ShiroWebModule defaults to this simply because that was the default already expected in the DefaultWebSecurityManager – the intention was to keep the defaults the same whether you were using the basic ini setup, spring, or guice.

That being said, if your need is for managing the sessions within Shiro, there is no reason to not switch to DefaultWebSessionManager. Indeed, that is why the bindSessionManager method exists.

To switch, simply override bindSessionManager:

@Override
protected void bindSessionManager(AnnotatedBindingBuilder<SessionManager> bind) {
    bind.to(DefaultWebSessionManager.class).asEagerSingleton();
}

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

ServletContainerSessionManager isn’t a ValidatingSessionManager ; does it defer to the underlying container to handle

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply