Pac4j and Apache Shiro 2.2.0: Session ID gets changed on each refresh for access token exchange

20 views
Skip to first unread message

Anna Weber

unread,
Jun 11, 2026, 9:42:13 AMJun 11
to Pac4j development mailing list
Hi,

due to changes made in Apache Shiro 2.2.0, the session ID will be changed on each login:


Pac4j Shiro bridge offers a ShiroHelper which is used each time the profile is saved. When a refresh token is exchanged for a new access token, we save the profile again and call the ShiroHelper, which in turn calls Subject.login . This again triggers the change of the Session ID and may lead to unexpected effects in the application.
Question is if we need to call Subject.login here, when we only exchange a refresh token for a new access token, and Subject.isAuthenticated is already true before the login call.

Thanks,
Anna


Jérôme LELEU

unread,
Jun 12, 2026, 5:20:14 AMJun 12
to Anna Weber, Pac4j development mailing list
Hi,

OK. I'm not sure I understand your question, you want to check Subject.isAuthenticated before calling Subject.login ?
Thanks.
Best regards,
Jérôme


--
You received this message because you are subscribed to the Google Groups "Pac4j development mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-dev+...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/pac4j-dev/9f1462e3-2a9c-4780-9f84-5657f43f5bd9n%40googlegroups.com.

Anna Weber

unread,
Jun 12, 2026, 6:06:06 AMJun 12
to Pac4j development mailing list
Hi,

in general I would argue that it is not necessary to change the session id for a refresh token to access token exchange.
Would you agree?

If so, is there maybe a different way to update the subject data other than using Subject.login in ShiroHelper?

Of course we can adapt the shiro side and use a custom WebSecurityManager if we don't want to change the session id in this case,
but maybe we can also avoid this in the pac4j code?

I would be glad to hear your opinion on this matter before opening any PR.

Thanks,
Anna

Jérôme LELEU

unread,
Jun 12, 2026, 9:55:01 AMJun 12
to Anna Weber, Pac4j development mailing list
Hi,

I think that retrieving a new access token thanks to a refresh token happens in the same session. So I would not change the session id.

Then, I'm not sure what is the best approach technically to do that?

Thanks.
Best regards,
Jérôme


Reply all
Reply to author
Forward
0 new messages