shiro kick out user

You shouldn't try to recreate the session and then operate it, you should get the session via the security manager, using the thread the user was logged into, like so:

SecurityUtils.getSubject().logout();

If you somehow want to call logout from a different thread, you can use the SessionDAO interface, but you need to do extra configuration to have shiro use a SessionDAO as described here:

http://shiro.apache.org/session-management.html#SessionManagement-SessionStorage

When you have configured it correctly you can do stuff like:

    DefaultSecurityManager securityManager = (DefaultSecurityManager) SecurityUtils.getSecurityManager();
    DefaultSessionManager sessionManager = (DefaultSessionManager) securityManager.getSessionManager();
    Collection<Session> activeSessions = sessionManager.getSessionDAO().getActiveSessions();
    for (Session session: activeSessions){
        if (sessionId.equals(session.getId()){
            session.stop();
        }
    }