shiro session 超时时间设置无效, 排查过程

Spring - shiro   

   shiro 设置session超时时间为2分钟   

<bean id="sessionManager" class="org.apache.shiro.web.session.mgt.DefaultWebSessionManager">
    <property name="globalSessionTimeout" value="120000"/>
    <property name="deleteInvalidSessions" value="true"/>
    <!-- <property name="sessionValidationSchedulerEnabled" value="true"/> -->
    <property name="sessionValidationScheduler" ref="sessionValidationScheduler"/>
    <property name="sessionDAO" ref="sessionDAO"/>
    <property name="sessionIdCookieEnabled" value="true"/>
    <property name="sessionIdCookie" ref="sessionIdCookie"/>
</bean>

 

web.xml

　　web配置文件设置超时时间2分钟

<session-config>
   <session-timeout>2</session-timeout>
</session-config>


原因：

在CheckCodeController.java类中, 为了设置验证码的有效时间, 架构师给session设置了maxInactivevInterval最大有效时间, 这个设置直接覆盖了shiro和web.xml中超时配置.
下面是生成验证码函数的代码

private void generateGBCheckCode() throws Exception{
	int codeCount = 4;
		
	final int width = 30 * codeCount, height = 36;
	BufferedImage image = new BufferedImage(width, height,   
    	BufferedImage.TYPE_INT_RGB);
		
	final String sCheckCode = creatImageGB(image, codeCount);
	final HttpSession session = request.getSession();
	session.setMaxInactiveInterval(GENERATE_TIME);
	session.setAttribute(ManageConstants.GENERATE_CHECK_CODE_FLAG, sCheckCode);

	response.setHeader("Cache-Control","no-cache"); //HTTP 1.1
        response.setHeader("Pragma","no-cache"); //HTTP 1.0
        response.setDateHeader("Expires", -1); //prevents caching at the proxy server
        response.setContentType("image/png");
        ImageIO.write(image, "PNG", response.getOutputStream());
}