shiro | Apache Shiro is a powerful and easy-to-use Java security | Security Framework library

Perhaps this will get you on the right track?

Yes, You can configure the session cookie's MaxAge: https://shiro.apache.org/web.html#session_cookie

Using the bean properties of the cookie: https://shiro.apache.org/static/current/apidocs/org/apache/shiro/web/servlet/SimpleCookie.html

I'm not sure I'm following the last bit about access tokens and cookies though.

Typically, using a session cookie is default functionality for web apps running on most Java Servlet containers (this differs once you get into REST API frameworks)

The reason is that Spring Security does not include the algorithm and rounds in the hashed value.

You can keep the same hash by implementing your own encoder like so:

Based on what you have, it should work with this:

Change: response = webdriver.request('POST', url+'pro/epc/plantview/view/doAsyncPlantList.json', headers=headers, data=postData)

to this: response = webdriver.request('POST', url+'pro/epc/plantview/view/doAsyncPlantList.json', headers=headers, json=json.dumps(postData))

(remember to import json) :)

I am not sure why this works but it does, for further reading see this discussion about the difference between data= and json= : Difference between data and json parameters in python requests package

Also, I've managed to get it work with requests only which should speed things up, note that I've had to change my url at the end to "cpro" not "pro" like yours since I don't have a pro account: "https://m.ginlong.com/pro/epc/plantview/view/doAsyncPlantList.json"

The exception cause shows what is wrong:

Malformed markup: Attribute "lang" appears more than once in element

You have this in your HTML:

Inside the VaadinSession are some fields that are not Serializable, for example a Lock and the wrapped http session inside is also marked as transient.

The wrapped http session is not part of Vaadin session, it is the the http session. Thus it is transient. The same can be said about Lock, whose instance is stored in the http session.

In order to implement session serialization correctly, you need to hook into serialization events and update the transients when session is being deserialized. VaadinSession should be loaded with VaadinService#loadSession, which calls VaadinSession#refreshTransients.

Everything inside a VaadinSession should be serializable to ensure compatibility with schemes using serialization for persisting the session data.

This statement does not imply that you can serialize your application out of the box. It just means, that in case your application is serializable as well, with careful engineering you can serialize the whole thing.

For example Vaadin is not updating the session attribute in each possible occasion for performance reasons. There is method VaadinService#storeSession for that. So you need to either override right method or setup request filter. E.g. you could do this at VaadinService#endRequest.

Note, you need to use sticky sessions in order to get this to work with moderate amount of effort. If your session is de-serialized in different machine, the re-entrant lock instances wont be valid. If you would like to be able to de-serialize the session in different machine, it would require that your infrastructure can offer distributed lock that you can use instead of re-entrant Lock of Java and override Vaadin's getSessionLock and setSessionLock methods to use that.

Valuable sources of further info:

Generic notes from Vaadin's CTO

https://vaadin.com/blog/session-replication-in-the-world-of-vaadin

Testimonial from developer who did it with one stack

https://vaadin.com/learn/tutorials/hazelcast

Thoughts from another senior developer

https://mvysny.github.io/vaadin-14-session-replication/

Setting the "interpreter binding modes" to "isolated" (or even "scoped") might solve your problem.

Isolated mode runs a separate interpreter process for each note in the case of per note scope. So, each note has an absolutely isolated session.

https://zeppelin.apache.org/docs/0.10.0/usage/interpreter/interpreter_binding_mode.html

It's not a python virtual environment per se, but maybe the provided isolation could work.

Thanks to Benjamin Marwell :

This is possible only in theory and/or with a lot of money. You can use hacking tools which run on your GPU, but even then it might take years to find it. And that is exactly the point: Password-based key derivation functions are designed to create an in-revertable hash.

Shiro 2.0 will use even better KDFs like Argon2 or bcrypt/script, which require a vast amount of memory and cpu to make attacks not feasible.

If you have access to the database where you stored the password, I would just set a new password and forget about the old one, if possible.