Spring Boot session timeout

Question

server.session-timeout seems to be working only for embedded tomcat.

I put a log statement to check the session max interval time. After deploying the

Answer 1

[Just in case someone finds this useful]

If you're using Spring Security you can extend the SimpleUrlAuthenticationSuccessHandler class and set the session timeout in the authentication success handler:

public class NoRedirectSavedRequestAwareAuthenticationSuccessHandler
       extends SimpleUrlAuthenticationSuccessHandler {

    public final Integer SESSION_TIMEOUT_IN_SECONDS = 60 * 30;

    @Override
    public void onAuthenticationSuccess(HttpServletRequest request,
                                        HttpServletResponse response,
                                        Authentication authentication)
                                        throws ServletException, IOException {

        request.getSession().setMaxInactiveInterval(SESSION_TIMEOUT_IN_SECONDS);

        // ...
    }


    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
            .anyRequest()
            .authenticated()
            .and()
            .formLogin()
            .loginProcessingUrl("/login")
            .successHandler(new NoRedirectSavedRequestAwareAuthenticationSuccessHandler())
            .failureHandler(new SimpleUrlAuthenticationFailureHandler())
            .and().httpBasic();
    }

}

Answer 2

You've discovered, as I have, that there is no direct call in the Servlet API nor the Spring APIs for setting the session timeout. The need for it is discussed here and there, but it hasn't been addressed yet.

There's kind of a round-a-bout way to do what you want. You can configure a session listener that sets the timeout on the session. I came across an article with code examples at: http://fruzenshtein.com/spring-java-configuration-session-timeout

I hope that helps.

Answer 3

Complementing the @Ali answer, you can also create a session.timeout variable in your application.yml file and use it in your class. This should work great with Spring Boot war and external Tomcat:

application.yml

  session:
    timeout: 480 # minutes

SessionListener (with @Configuration annotation)

import javax.servlet.http.HttpSessionEvent;
import javax.servlet.http.HttpSessionListener;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Configuration;

@Configuration
class SessionListener implements HttpSessionListener {

    @Value("${session.timeout}")
    private Integer sessionTimeout;

    @Override
    public void sessionCreated(HttpSessionEvent event) {
        event.getSession().setMaxInactiveInterval(sessionTimeout);
    }

    @Override
    public void sessionDestroyed(HttpSessionEvent event) {}

}

Answer 4

In your application.properties

#session timeout (in secs for spring, in minutes for tomcat server/container)
server.session.timeout=1

I tested it and is working! It turns out that tomcat take the property in minutes

Answer 5

When you deploy a Spring Boot app to a standalone server, configuring the session timeout is done in the same way as it would be in any other war deployment.

In the case of Tomcat you can set the session timeout by configuring the maxInactiveInterval attribute on the manager element in server.xml or using the session-timeout element in web.xml. Note that the first option will affect every app that's deployed to the Tomcat instance.

Answer 6

Use HttpSessionListener

@Configuration
public class MyHttpSessionListener implements HttpSessionListener {
    @Override
    public void sessionCreated(HttpSessionEvent event) {
        event.getSession().setMaxInactiveInterval(30);
    }
}