springboot使用shiro后HttpSession的removeAttribute无效

我的系统中是springboot+shiro做的登录鉴权，使用了shiro后自带的HttpSession的removeAttribute就无效了。
shiri配置

@Configuration
public class ShiroConfig {
    
    @Bean
    public ShiroFilterFactoryBean shiroFilter(SecurityManager securityManager) {
        ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();
        
        // 必须设置 SecurityManager
        shiroFilterFactoryBean.setSecurityManager(securityManager);
        // 如果不设置默认会自动寻找Web工程根目录下的"/login.jsp"页面
        shiroFilterFactoryBean.setLoginUrl("/login");
        // 登录成功后要跳转的链接
        shiroFilterFactoryBean.setSuccessUrl("/index");
        // 未授权界面;
        shiroFilterFactoryBean.setUnauthorizedUrl("/403");
        
        // 权限控制map.
        Map<String, String> filterChainDefinitionMap = new LinkedHashMap<String, String>();
        //filterChainDefinitionMap.put("/user", "perms[add1]");
        shiroFilterFactoryBean.setFilterChainDefinitionMap(filterChainDefinitionMap);
        
        return shiroFilterFactoryBean;
    }
    
    @Bean
    public SecurityManager securityManager() {
        DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
        // 设置realm.
        securityManager.setRealm(myShiroRealm());
        // 自定义缓存实现 使用redis
        //RedisCacheManager cache = cacheManager();
        //securityManager.setCacheManager(cacheManager());
        // 自定义session管理 使用redis
        securityManager.setSessionManager(SessionManager());
        return securityManager;
    }
...后面的隐藏

使用

@PostMapping(path="/login.api")
    @ResponseBody
    public Result loginApi(@Validated(SysUser.IUserLogin.class) SysUser userForm, BindingResult bindingResult,
                           HttpServletRequest request, HttpSession session){
        result.simple(true, "初始化");
        userForm.initForm(SysUser.IUserLogin.class);
        String verifycode=request.getParameter("verifycode");
        if (bindingResult.hasErrors()) {
            userForm.initFieldErrors(bindingResult);
            result.simple(false, "字段验证失败");
        }
        **Session s = SecurityUtils.getSubject().getSession();**
        if(!verifycode.equals(s.getAttribute("VerifyCode"))) {
            result.simple(false&result.isFlag(), result.getMsg()+",验证码不正确");
            result.putItems("verifycodeError", "验证码不正确!");
        }else{
            result.removeItem("verifycodeError");
        }
        s.removeAttribute("VerifyCode");

        if(result.isFlag()){
            try {
                UsernamePasswordToken token = new UsernamePasswordToken(userForm.getUsername(), userForm.getPassword());
                SecurityUtils.getSubject().login(token);
                result.simple(true, "登录成功");
            } catch (Exception e) {
                System.out.println(e.toString());
                userForm.getFields().get("password").setError(e.getMessage());
                result.simple(false, "登录失败");
            }
        }
        result.putItems("user", userForm);
        return result;
    }

上面代码中session不能用，s可以用。