No error or exception stack-traces. User can log-in without any problem and shiro can create a session but then next time the user tries to login Shiro cannot bind to the session and authenticates the user again so creates another session where this (currentUser.isAuthenticated()) should return true. I can see the sessions are getting invalidated after an hour later.

The exact same application with the same server configurations without any changes and the same database instance runs perfectly on 8.0 final. Here, I copy-pasted the relevant config and the code. Thanks so much for your help, looking forward to your reply. Cheers

Shiro.ini

[main]

jdbcRealm=org.apache.shiro.realm.jdbc.JdbcRealm

jdbcRealm.authenticationQuery=SELECT password FROM Person WHERE username = ?

jdbcRealm.userRolesQuery=select rolename from role r left join person p on p.USERNAME = ? left join person_roles pr on pr.Person_personid = p.ID where pr.Role_roleid = r.ID

ds=com.mysql.jdbc.jdbc2.optional.MysqlDataSource

ds.serverName=localhost

ds.user=******

ds.password=******

ds.databaseName=******

jdbcRealm.dataSource=$ds

sha256Matcher=org.apache.shiro.authc.credential.Sha256CredentialsMatcher

jdbcRealm.credentialsMatcher=$sha256Matcher

sessionManager=org.apache.shiro.web.session.mgt.DefaultWebSessionManager

securityManager.sessionManager=$sessionManager

authc = org.apache.shiro.web.filter.authc.PassThruAuthenticationFilter

authc.loginUrl = /admin/login.html

[urls]

/rest/authentication/login/** = anon

/admin/css/** = anon

/admin/js/** = anon

/** = authc

Web.xml

    <listener>

        <listener-class>org.apache.shiro.web.env.EnvironmentLoaderListener</listener-class>

    </listener>

    <filter>

        <filter-name>ShiroFilter</filter-name>

        <filter-class>org.apache.shiro.web.servlet.ShiroFilter</filter-class>

    </filter>

    <filter-mapping>

        <filter-name>ShiroFilter</filter-name>

        <url-pattern>/*</url-pattern>

        <dispatcher>REQUEST</dispatcher>

        <dispatcher>FORWARD</dispatcher>

        <dispatcher>INCLUDE</dispatcher>

        <dispatcher>ERROR</dispatcher>

    </filter-mapping>

login code

        Subject currentUser = SecurityUtils.getSubject();

        if (!currentUser.isAuthenticated()) {

            UsernamePasswordToken token = new UsernamePasswordToken(username, password, true);

            try {

                currentUser.login(token);

                currentUser.getSession(true);

                log.info("User: " + username + " logged in succcessfuly.");

                return "Successfuly Authenticated ";

            } catch (UnknownAccountException e) {

                log.info("Unknown Account Exception");

                return "Authentication Failed";

            } catch (IncorrectCredentialsException e) {

                log.info("Incorrect Credentials Exception");

                return "Authentication Failed";

            } catch (LockedAccountException e) {

                log.info("Locked Account Exception");

                return "Authentication Failed";

            } catch (AuthenticationException e) {

                log.info("Authentication Exception");

                return "Authentication Failed";

            }

        }

        return "Already Authenticated";

Hey Tomaz, thanks for your reply, I did have a look at the jira and it might be related to my issue but still couldn't get it working with the workarounds that worked for their applications.

I have noticed that when I run my web application on  8.0, after in the login page response header I can see this cookie

1. Set-Cookie:JSESSIONID=4f65f700-151b-4852-9b47-cc2678343e17.pinchy; path=

But 8.1 login page response header doesn't set this cookie so I don't really understand what happening here but changing name JSESSIONID to something else fixed the issue.

here what I have added to my shiro.ini

cookie = org.apache.shiro.web.servlet.SimpleCookie
cookie.name = shiro.session.id
sessionManager.sessionIdCookie = $cookie