releases Spring Boot session timeout



spring boot wiki (4)

Based on justin's answer showing how to set session timeout using an AuthenticationSuccessHandler with Spring Security, I created a SessionTimeoutAuthSuccessHandler:

public class SessionTimeoutAuthSuccessHandler extends SavedRequestAwareAuthenticationSuccessHandler {
  public final Duration sessionTimeout;

  public SessionTimeoutAuthSuccessHandler(Duration sessionTimeout) {
    this.sessionTimeout = sessionTimeout;
  }

  @Override
  public void onAuthenticationSuccess(HttpServletRequest req, HttpServletResponse res, Authentication auth) throws ServletException, IOException {
    req.getSession().setMaxInactiveInterval(Math.toIntExact(sessionTimeout.getSeconds()));
    super.onAuthenticationSuccess(req, res, auth);
  }
}

In use:

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

  @Override
  protected void configure(HttpSecurity http) throws Exception {
    http.authorizeRequests()
      .anyRequest().authenticated()
      .and().formLogin().loginPage("/login")
      .successHandler(new SessionTimeoutAuthSuccessHandler(Duration.ofHours(8))).permitAll()
      .and().logout().logoutUrl("/logout").permitAll();   
  }
...
}

Edit Extending from SavedRequestAwareAuthenticationSuccessHandler rather than SimpleUrlAuthenticationSuccessHandler to ensure that original requests is not lost after re-authentication.

server.session-timeout seems to be working only for embedded tomcat.

I put a log statement to check the session max interval time. After deploying the war file manually to tomcat, I realized that default session timeout value (30 min) was being used still.

How can I set session timeout value with spring-boot (not for embedded tomcat, but for a stand-alone application server)?


Answer #1

In your application.properties

#session timeout (in secs for spring, in minutes for tomcat server/container)
server.session.timeout=1

I tested it and is working! It turns out that tomcat take the property in minutes


Answer #2

When you deploy a Spring Boot app to a standalone server, configuring the session timeout is done in the same way as it would be in any other war deployment.

In the case of Tomcat you can set the session timeout by configuring the maxInactiveInterval attribute on the manager element in server.xml or using the session-timeout element in web.xml. Note that the first option will affect every app that's deployed to the Tomcat instance.


Answer #3

You've discovered, as I have, that there is no direct call in the Servlet API nor the Spring APIs for setting the session timeout. The need for it is discussed here and there, but it hasn't been addressed yet.

There's kind of a round-a-bout way to do what you want. You can configure a session listener that sets the timeout on the session. I came across an article with code examples at: http://fruzenshtein.com/spring-java-configuration-session-timeout

I hope that helps.





spring-boot