


public interface SessionManager {

    Session start(SessionContext context);

    Session getSession(SessionKey key) throws SessionException;


/**AbstractSessionManager是SessionManager的顶层抽象类,主要提供Session存活时间管理的支持, 默认session存活时间是30分钟 deprecate this class (see SHIRO-240): 这个类主要为子类提供一个常用的属性“globalSessionTimeout”的支持,最初设计是为ServletContainerSessionManager 和AbstractNativeSessionManager提供session存活时间管理支持,但是ServletContainerSessionManager的实现并没有 使用该“globalSessionTimeout”,这意味着只有AbstractNativeSessionManager需要使用。所以该类没有存在必要了。 https://issues.apache.org/jira/browse/SHIRO-240 **/
public abstract class AbstractSessionManager implements SessionManager {

    protected static final long MILLIS_PER_SECOND = 1000;
    protected static final long MILLIS_PER_MINUTE = 60 * MILLIS_PER_SECOND;
    protected static final long MILLIS_PER_HOUR = 60 * MILLIS_PER_MINUTE;

    /** * Default main session timeout value, equal to {@code 30} minutes. */
    public static final long DEFAULT_GLOBAL_SESSION_TIMEOUT = 30 * MILLIS_PER_MINUTE;
    private long globalSessionTimeout = DEFAULT_GLOBAL_SESSION_TIMEOUT;

    public AbstractSessionManager() {

    public long getGlobalSessionTimeout() {
        return this.globalSessionTimeout;

    public void setGlobalSessionTimeout(long globalSessionTimeout) {
        this.globalSessionTimeout = globalSessionTimeout;


/** 该类基础父类AbstractSessionManager和实现NativeSessionManager接口(session操作方法规范),提供 session的start、stop、Expiration状态的触发通知。 **/
public abstract class AbstractNativeSessionManager extends AbstractSessionManager implements NativeSessionManager {

    private static final Logger log = LoggerFactory.getLogger(AbstractSessionManager.class);
    private Collection<SessionListener> listeners;

    public AbstractNativeSessionManager() {
        this.listeners = new ArrayList<SessionListener>();

    public void setSessionListeners(Collection<SessionListener> listeners) {
        this.listeners = listeners != null ? listeners : new ArrayList<SessionListener>();

    public Collection<SessionListener> getSessionListeners() {
        return this.listeners;
    public Session start(SessionContext context) {
        Session session = createSession(context);
        onStart(session, context);
        return createExposedSession(session, context);

    protected abstract Session createSession(SessionContext context) throws AuthorizationException;
    protected void applyGlobalSessionTimeout(Session session) {

    //模板方法:子类对session start后作出反应
    protected void onStart(Session session, SessionContext context) {
    public Session getSession(SessionKey key) throws SessionException {
        Session session = lookupSession(key);
        return session != null ? createExposedSession(session, key) : null;

    private Session lookupSession(SessionKey key) throws SessionException {
        if (key == null) {
            throw new NullPointerException("SessionKey argument cannot be null.");
        return doGetSession(key);
    private Session lookupRequiredSession(SessionKey key) throws SessionException {
        Session session = lookupSession(key);
        if (session == null) {
            String msg = "Unable to locate required Session instance based on SessionKey [" + key + "].";
            throw new UnknownSessionException(msg);
        return session;
    protected abstract Session doGetSession(SessionKey key) throws InvalidSessionException;
    protected Session createExposedSession(Session session, SessionContext context) {
        return new DelegatingSession(this, new DefaultSessionKey(session.getId()));
    protected Session createExposedSession(Session session, SessionKey key) {
        return new DelegatingSession(this, new DefaultSessionKey(session.getId()));

    protected Session beforeInvalidNotification(Session session) {
        return new ImmutableProxiedSession(session);

    //session start创建后调用SessionListener的onStart通知
    protected void notifyStart(Session session) {
        for (SessionListener listener : this.listeners) {
    //session stop后调用SessionListener的onStop通知
    protected void notifyStop(Session session) {
        Session forNotification = beforeInvalidNotification(session);
        for (SessionListener listener : this.listeners) {
    //session Expiration后调用SessionListener的onExpiration通知
    protected void notifyExpiration(Session session) {
        Session forNotification = beforeInvalidNotification(session);
        for (SessionListener listener : this.listeners) {
    //根据sessionKey 获取session的创建时间
    public Date getStartTimestamp(SessionKey key) {
        return lookupRequiredSession(key).getStartTimestamp();
    //根据sessionKey 获取session最后访问时间
    public Date getLastAccessTime(SessionKey key) {
        return lookupRequiredSession(key).getLastAccessTime();
    //根据sessionKey 获取session过期时间. 负数:则永远不过期 正数:毫秒内有效
    public long getTimeout(SessionKey key) throws InvalidSessionException {
        return lookupRequiredSession(key).getTimeout();
    public void setTimeout(SessionKey key, long maxIdleTimeInMillis) throws InvalidSessionException {
        Session s = lookupRequiredSession(key);
    public void touch(SessionKey key) throws InvalidSessionException {
        Session s = lookupRequiredSession(key);
    //根据sessionKey获取session 访问IP..
    public String getHost(SessionKey key) {
        return lookupRequiredSession(key).getHost();
    //根据sessionKey 获取session里的设置的属性
    public Collection<Object> getAttributeKeys(SessionKey key) {
        Collection<Object> c = lookupRequiredSession(key).getAttributeKeys();
        if (!CollectionUtils.isEmpty(c)) {
            return Collections.unmodifiableCollection(c);
        return Collections.emptySet();
    public Object getAttribute(SessionKey sessionKey, Object attributeKey) throws InvalidSessionException {
        return lookupRequiredSession(sessionKey).getAttribute(attributeKey);
    public void setAttribute(SessionKey sessionKey, Object attributeKey, Object value) throws InvalidSessionException {
        if (value == null) {
            removeAttribute(sessionKey, attributeKey);
        } else {
            Session s = lookupRequiredSession(sessionKey);
            s.setAttribute(attributeKey, value);
    public Object removeAttribute(SessionKey sessionKey, Object attributeKey) throws InvalidSessionException {
        Session s = lookupRequiredSession(sessionKey);
        Object removed = s.removeAttribute(attributeKey);
        if (removed != null) {
        return removed;
    public boolean isValid(SessionKey key) {
        try {
            return true;
        } catch (InvalidSessionException e) {
            return false;
    public void stop(SessionKey key) throws InvalidSessionException {
        Session session = lookupRequiredSession(key);
        try {
            if (log.isDebugEnabled()) {
                log.debug("Stopping session with id [" + session.getId() + "]");
        //执行session 停止模板方法
            onStop(session, key);
        } finally {
    protected void onStop(Session session, SessionKey key) {
    protected void onStop(Session session) {

    protected void afterStopped(Session session) {
    public void checkValid(SessionKey key) throws InvalidSessionException {
        //just try to acquire it. If there is a problem, an exception will be thrown:
    protected void onChange(Session s) {


/** AbstractValidatingSessionManager继承于AbstractNativeSessionManager且实现了ValidatingSessionManager接口,该抽象类 主要提供session验证和过期session检测。 **/
public abstract class AbstractValidatingSessionManager extends AbstractNativeSessionManager implements ValidatingSessionManager, Destroyable {

    private static final Logger log = LoggerFactory.getLogger(AbstractValidatingSessionManager.class);

    protected boolean sessionValidationSchedulerEnabled;

    protected SessionValidationScheduler sessionValidationScheduler;
    protected long sessionValidationInterval;

    public AbstractValidatingSessionManager() {
        this.sessionValidationSchedulerEnabled = true;
        this.sessionValidationInterval = DEFAULT_SESSION_VALIDATION_INTERVAL;

    public boolean isSessionValidationSchedulerEnabled() {
        return sessionValidationSchedulerEnabled;

    public void setSessionValidationSchedulerEnabled(boolean sessionValidationSchedulerEnabled) {
        this.sessionValidationSchedulerEnabled = sessionValidationSchedulerEnabled;

    public void setSessionValidationScheduler(SessionValidationScheduler sessionValidationScheduler) {
        this.sessionValidationScheduler = sessionValidationScheduler;

    public SessionValidationScheduler getSessionValidationScheduler() {
        return sessionValidationScheduler;
    private void enableSessionValidationIfNecessary() {
        SessionValidationScheduler scheduler = getSessionValidationScheduler();
        if (isSessionValidationSchedulerEnabled() && (scheduler == null || !scheduler.isEnabled())) {

    public void setSessionValidationInterval(long sessionValidationInterval) {
        this.sessionValidationInterval = sessionValidationInterval;

    public long getSessionValidationInterval() {
        return sessionValidationInterval;

    protected final Session doGetSession(final SessionKey key) throws InvalidSessionException {

        log.trace("Attempting to retrieve session with key {}", key);
        Session s = retrieveSession(key);
        if (s != null) {
            validate(s, key);
        return s;

    protected abstract Session retrieveSession(SessionKey key) throws UnknownSessionException;

    protected Session createSession(SessionContext context) throws AuthorizationException {
        return doCreateSession(context);
    protected abstract Session doCreateSession(SessionContext initData) throws AuthorizationException;
    protected void validate(Session session, SessionKey key) throws InvalidSessionException {
        try {
        } catch (ExpiredSessionException ese) {
            onExpiration(session, ese, key);
            throw ese;
        } catch (InvalidSessionException ise) {
            onInvalidation(session, ise, key);
            throw ise;
    protected void onExpiration(Session s, ExpiredSessionException ese, SessionKey key) {
        log.trace("Session with id [{}] has expired.", s.getId());
        try {

        } finally {

    protected void onExpiration(Session session) {

    protected void afterExpired(Session session) {
    protected void onInvalidation(Session s, InvalidSessionException ise, SessionKey key) {
        if (ise instanceof ExpiredSessionException) {
            onExpiration(s, (ExpiredSessionException) ise, key);
        log.trace("Session with id [{}] is invalid.", s.getId());
        try {
        } finally {
    protected void doValidate(Session session) throws InvalidSessionException {
        if (session instanceof ValidatingSession) {
            ((ValidatingSession) session).validate();
        } else {
            String msg = "The " + getClass().getName() + " implementation only supports validating " +
                    "Session implementations of the " + ValidatingSession.class.getName() + " interface. " +
                    "Please either implement this interface in your session implementation or override the " +
                    AbstractValidatingSessionManager.class.getName() + ".doValidate(Session) method to perform validation.";
            throw new IllegalStateException(msg);

    /** * 这我也搞不懂干嘛的。。 * Subclass template hook in case per-session timeout is not based on * {@link org.apache.shiro.session.Session#getTimeout()}. * <p/> * <p>This implementation merely returns {@link org.apache.shiro.session.Session#getTimeout()}</p> * * @param session the session for which to determine session timeout. * @return the time in milliseconds the specified session may remain idle before expiring. */
    protected long getTimeout(Session session) {
        return session.getTimeout();

    protected void enableSessionValidation() {
        SessionValidationScheduler scheduler = getSessionValidationScheduler();
        if (scheduler == null) {
            scheduler = createSessionValidationScheduler();
        if (log.isInfoEnabled()) {
            log.info("Enabling session validation scheduler...");
    protected SessionValidationScheduler createSessionValidationScheduler() {
        ExecutorServiceSessionValidationScheduler scheduler;

        if (log.isDebugEnabled()) {
            log.debug("No sessionValidationScheduler set. Attempting to create default instance.");
        scheduler = new ExecutorServiceSessionValidationScheduler(this);
        if (log.isTraceEnabled()) {
            log.trace("Created default SessionValidationScheduler instance of type [" + scheduler.getClass().getName() + "].");
        return scheduler;

    protected void afterSessionValidationEnabled() {
    protected void disableSessionValidation() {
        SessionValidationScheduler scheduler = getSessionValidationScheduler();
        if (scheduler != null) {
            try {
                if (log.isInfoEnabled()) {
                    log.info("Disabled session validation scheduler.");
            } catch (Exception e) {
                if (log.isDebugEnabled()) {
                    String msg = "Unable to disable SessionValidationScheduler. Ignoring (shutting down)...";
                    log.debug(msg, e);

    protected void beforeSessionValidationDisabled() {

    public void destroy() {

    public void validateSessions() {
        if (log.isInfoEnabled()) {
            log.info("Validating all active sessions...");
        int invalidCount = 0;
        Collection<Session> activeSessions = getActiveSessions();
        /** 当你用户量如果非常大时候,假如有1亿个session,那么迭代会花很长时间且在这一阶段里会影响性能.可以分批次 **/
        if (activeSessions != null && !activeSessions.isEmpty()) {
            for (Session s : activeSessions) {
                try {
                    //simulate a lookup key to satisfy the method signature.
                    //this could probably stand to be cleaned up in future versions:
                    SessionKey key = new DefaultSessionKey(s.getId());
                    validate(s, key);
                } catch (InvalidSessionException e) {
                    if (log.isDebugEnabled()) {
                        boolean expired = (e instanceof ExpiredSessionException);
                        String msg = "Invalidated session with id [" + s.getId() + "]" +
                                (expired ? " (expired)" : " (stopped)");

        if (log.isInfoEnabled()) {
            String msg = "Finished session validation.";
            if (invalidCount > 0) {
                msg += " [" + invalidCount + "] sessions were stopped.";
            } else {
                msg += " No sessions were stopped.";
    protected abstract Collection<Session> getActiveSessions();


/** DefaultSessionManager继承AbstractValidatingSessionManager且实现CacheManagerAware接口, 该具体实现类实现缓存接口CacheManagerAware只是为了让SessionDAO使用。 所有关于session的状态的改变都是交由DefaultSessionManager的sessionDAO处理。 **/
public class DefaultSessionManager extends AbstractValidatingSessionManager implements CacheManagerAware {

    private static final Logger log = LoggerFactory.getLogger(DefaultSessionManager.class);
    private SessionFactory sessionFactory;
    protected SessionDAO sessionDAO;  //todo - move SessionDAO up to AbstractValidatingSessionManager?
    private CacheManager cacheManager;
    /** 是否删除session,如果session过期或者无效后。但是有些系统需要获取及时过期或者无效的SESSION。 默认为true。如果设置为false,需要用户自己有办法在外部去管理过期或者无效session **/
    private boolean deleteInvalidSessions;

    public DefaultSessionManager() {
        this.deleteInvalidSessions = true;
        this.sessionFactory = new SimpleSessionFactory();
        this.sessionDAO = new MemorySessionDAO();

    public void setSessionDAO(SessionDAO sessionDAO) {
        this.sessionDAO = sessionDAO;

    public SessionDAO getSessionDAO() {
        return this.sessionDAO;

    public SessionFactory getSessionFactory() {
        return sessionFactory;

    public void setSessionFactory(SessionFactory sessionFactory) {
        this.sessionFactory = sessionFactory;

    public boolean isDeleteInvalidSessions() {
        return deleteInvalidSessions;

    public void setDeleteInvalidSessions(boolean deleteInvalidSessions) {
        this.deleteInvalidSessions = deleteInvalidSessions;
    public void setCacheManager(CacheManager cacheManager) {
        this.cacheManager = cacheManager;

    private void applyCacheManagerToSessionDAO() {
        if (this.cacheManager != null && this.sessionDAO != null && this.sessionDAO instanceof CacheManagerAware) {
            ((CacheManagerAware) this.sessionDAO).setCacheManager(this.cacheManager);

    protected Session doCreateSession(SessionContext context) {
        Session s = newSessionInstance(context);
        if (log.isTraceEnabled()) {
            log.trace("Creating session for host {}", s.getHost());
        return s;
    protected Session newSessionInstance(SessionContext context) {
        return getSessionFactory().createSession(context);

    protected void create(Session session) {
        if (log.isDebugEnabled()) {
            log.debug("Creating new EIS record for new session instance [" + session + "]");

    protected void onStop(Session session) {
        if (session instanceof SimpleSession) {
            SimpleSession ss = (SimpleSession) session;
            Date stopTs = ss.getStopTimestamp();

    protected void afterStopped(Session session) {
        if (isDeleteInvalidSessions()) {

    protected void onExpiration(Session session) {
        if (session instanceof SimpleSession) {
            ((SimpleSession) session).setExpired(true);

    protected void afterExpired(Session session) {
        if (isDeleteInvalidSessions()) {

    protected void onChange(Session session) {

    protected Session retrieveSession(SessionKey sessionKey) throws UnknownSessionException {
        Serializable sessionId = getSessionId(sessionKey);
        if (sessionId == null) {
            log.debug("Unable to resolve session ID from SessionKey [{}]. Returning null to indicate a " +
                    "session could not be found.", sessionKey);
            return null;
        Session s = retrieveSessionFromDataSource(sessionId);
        if (s == null) {
            //session ID was provided, meaning one is expected to be found, but we couldn't find one:
            String msg = "Could not find session with ID [" + sessionId + "]";
            throw new UnknownSessionException(msg);
        return s;
    protected Serializable getSessionId(SessionKey sessionKey) {
        return sessionKey.getSessionId();
    protected Session retrieveSessionFromDataSource(Serializable sessionId) throws UnknownSessionException {
        return sessionDAO.readSession(sessionId);
    protected void delete(Session session) {
    protected Collection<Session> getActiveSessions() {
        Collection<Session> active = sessionDAO.getActiveSessions();
        return active != null ? active : Collections.<Session>emptySet();



public class DefaultWebSessionManager extends DefaultSessionManager implements WebSessionManager {

    private static final Logger log = LoggerFactory.getLogger(DefaultWebSessionManager.class);
    private Cookie sessionIdCookie;
    private boolean sessionIdCookieEnabled;

    public DefaultWebSessionManager() {
        Cookie cookie = new SimpleCookie(ShiroHttpSession.DEFAULT_SESSION_ID_NAME);
        cookie.setHttpOnly(true); //more secure, protects against XSS attacks
        this.sessionIdCookie = cookie;
        this.sessionIdCookieEnabled = true;
    public Cookie getSessionIdCookie() {
        return sessionIdCookie;

    public void setSessionIdCookie(Cookie sessionIdCookie) {
        this.sessionIdCookie = sessionIdCookie;

    public boolean isSessionIdCookieEnabled() {
        return sessionIdCookieEnabled;

    public void setSessionIdCookieEnabled(boolean sessionIdCookieEnabled) {
        this.sessionIdCookieEnabled = sessionIdCookieEnabled;
    private void storeSessionId(Serializable currentId, HttpServletRequest request, HttpServletResponse response) {
        if (currentId == null) {
            String msg = "sessionId cannot be null when persisting for subsequent requests.";
            throw new IllegalArgumentException(msg);
        Cookie template = getSessionIdCookie();
        Cookie cookie = new SimpleCookie(template);
        String idString = currentId.toString();
        cookie.saveTo(request, response);
        log.trace("Set session ID cookie for session with id {}", idString);
    //删除浏览器SessionID cookie
    private void removeSessionIdCookie(HttpServletRequest request, HttpServletResponse response) {
        getSessionIdCookie().removeFrom(request, response);
    //根据sessionID Cookie获取sessionid
    private String getSessionIdCookieValue(ServletRequest request, ServletResponse response) {
        if (!isSessionIdCookieEnabled()) {
            log.debug("Session ID cookie is disabled - session id will not be acquired from a request cookie.");
            return null;
        if (!(request instanceof HttpServletRequest)) {
            log.debug("Current request is not an HttpServletRequest - cannot get session ID cookie. Returning null.");
            return null;
        HttpServletRequest httpRequest = (HttpServletRequest) request;
        return getSessionIdCookie().readValue(httpRequest, WebUtils.toHttp(response));

    private Serializable getReferencedSessionId(ServletRequest request, ServletResponse response) {
        String id = getSessionIdCookieValue(request, response);
        if (id != null) {
        //设置获取SessionID的来源 Cookie
        } else {
            id = getUriPathSegmentParamValue(request, ShiroHttpSession.DEFAULT_SESSION_ID_NAME);

            if (id == null) {
                String name = getSessionIdName();

                id = request.getParameter(name);
                if (id == null) {

                    id = request.getParameter(name.toLowerCase());
            if (id != null) {
        //设置获取SessionID的来源 URL
        if (id != null) {
            request.setAttribute(ShiroHttpServletRequest.REFERENCED_SESSION_ID, id);
            request.setAttribute(ShiroHttpServletRequest.REFERENCED_SESSION_ID_IS_VALID, Boolean.TRUE);
        return id;

    private String getUriPathSegmentParamValue(ServletRequest servletRequest, String paramName) {

        if (!(servletRequest instanceof HttpServletRequest)) {
            return null;
        HttpServletRequest request = (HttpServletRequest)servletRequest;
        String uri = request.getRequestURI();
        if (uri == null) {
            return null;

        int queryStartIndex = uri.indexOf('?');
        if (queryStartIndex >= 0) { //get rid of the query string
            uri = uri.substring(0, queryStartIndex);

        int index = uri.indexOf(';'); //now check for path segment parameters:
        if (index < 0) {
            //no path segment params - return:
            return null;

        //there are path segment params, let's get the last one that may exist:

        final String TOKEN = paramName + "=";

        uri = uri.substring(index+1); //uri now contains only the path segment params

        //we only care about the last JSESSIONID param:
        index = uri.lastIndexOf(TOKEN);
        if (index < 0) {
            //no segment param:
            return null;

        uri = uri.substring(index + TOKEN.length());

        index = uri.indexOf(';'); //strip off any remaining segment params:
        if(index >= 0) {
            uri = uri.substring(0, index);

        return uri; //what remains is the value

    private String getSessionIdName() {
        String name = this.sessionIdCookie != null ? this.sessionIdCookie.getName() : null;
        if (name == null) {
            name = ShiroHttpSession.DEFAULT_SESSION_ID_NAME;
        return name;
    //封装一个基于WEB(包含request和response的支持)的 客户端层session,该方法主要用在新创建session
    protected Session createExposedSession(Session session, SessionContext context) {
        if (!WebUtils.isWeb(context)) {
            return super.createExposedSession(session, context);
        ServletRequest request = WebUtils.getRequest(context);
        ServletResponse response = WebUtils.getResponse(context);
        SessionKey key = new WebSessionKey(session.getId(), request, response);
        return new DelegatingSession(this, key);
    //封装一个基于WEB(包含request和response的支持)的 客户端层session,该方法主要用在获取已存在的session
    protected Session createExposedSession(Session session, SessionKey key) {
        if (!WebUtils.isWeb(key)) {
            return super.createExposedSession(session, key);

        ServletRequest request = WebUtils.getRequest(key);
        ServletResponse response = WebUtils.getResponse(key);
        SessionKey sessionKey = new WebSessionKey(session.getId(), request, response);
        return new DelegatingSession(this, sessionKey);

    //session start创建后保存sessionID到客户端浏览器cookie中
    protected void onStart(Session session, SessionContext context) {
        super.onStart(session, context);

        if (!WebUtils.isHttp(context)) {
            log.debug("SessionContext argument is not HTTP compatible or does not have an HTTP request/response " +
                    "pair. No session ID cookie will be set.");

        HttpServletRequest request = WebUtils.getHttpRequest(context);
        HttpServletResponse response = WebUtils.getHttpResponse(context);
        if (isSessionIdCookieEnabled()) {
            Serializable sessionId = session.getId();
            storeSessionId(sessionId, request, response);
        } else {
            log.debug("Session ID cookie is disabled. No cookie has been set for new session with id {}", session.getId());

        request.setAttribute(ShiroHttpServletRequest.REFERENCED_SESSION_IS_NEW, Boolean.TRUE);
    public Serializable getSessionId(SessionKey key) {
        Serializable id = super.getSessionId(key);
        if (id == null && WebUtils.isWeb(key)) {
            ServletRequest request = WebUtils.getRequest(key);
            ServletResponse response = WebUtils.getResponse(key);
            id = getSessionId(request, response);
        return id;

     protected Serializable getSessionId(ServletRequest request, ServletResponse response) {
        return getReferencedSessionId(request, response);

    protected void onExpiration(Session s, ExpiredSessionException ese, SessionKey key) {
        super.onExpiration(s, ese, key);

    protected void onInvalidation(Session session, InvalidSessionException ise, SessionKey key) {
        super.onInvalidation(session, ise, key);
    private void onInvalidation(SessionKey key) {
        ServletRequest request = WebUtils.getRequest(key);
        if (request != null) {
        if (WebUtils.isHttp(key)) {
            log.debug("Referenced session was invalid. Removing session ID cookie.");
            removeSessionIdCookie(WebUtils.getHttpRequest(key), WebUtils.getHttpResponse(key));
        } else {
            log.debug("SessionKey argument is not HTTP compatible or does not have an HTTP request/response " +
                    "pair. Session ID cookie will not be removed due to invalidated session.");

    protected void onStop(Session session, SessionKey key) {
        super.onStop(session, key);
        if (WebUtils.isHttp(key)) {
            HttpServletRequest request = WebUtils.getHttpRequest(key);
            HttpServletResponse response = WebUtils.getHttpResponse(key);
            //删除sessionID cookie
            removeSessionIdCookie(request, response);
        } else {
            log.debug("SessionKey argument is not HTTP compatible or does not have an HTTP request/response " +
                    "pair. Session ID cookie will not be removed due to stopped session.");

    public boolean isServletContainerSessions() {
        return false;
