How to get session time out message using Spring security
Solution 1
I Solved it! by writing a filter instead depending on Spring-security.
If any one is interested they can use the below code :-
import java.io.IOException;
import java.io.PrintWriter;
import java.io.StringWriter;
import java.text.MessageFormat;
import javax.servlet.FilterChain;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.log4j.Logger;
import org.springframework.web.filter.OncePerRequestFilter;
public class FilterToGetTimeOut extends OncePerRequestFilter {
@Override
public void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws IOException {
try {
if(request.getRequestURI().equals("/") || request.getRequestURI().equals("/Login/")){
if(request.getSession().getAttribute("login") != null && (Boolean)request.getSession().getAttribute("login") == true){
response.sendRedirect(URL); //After login page
}
} else if(request.getSession().getAttribute("login") == null && !request.getRequestURI().equals("/LogOut")){
response.sendRedirect(request.getContextPath()+"/?timeout=true"); //If timeout is true send session timeout error message to JSP
}
filterChain.doFilter(request, response);
} catch (Exception e) {
//Log Exception
}
}
}
Add this filter in web.xml
.
<filter>
<filter-name>FilterToGetTimeOut </filter-name>
<filter-class>package.FilterToGetTimeOut </filter-class>
</filter>
<filter-mapping>
<filter-name>FilterToGetTimeOut</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
So now session also invalidates and I can handle the session timeout too.
Solution 2
I suggest you to logout using this:
HttpSession session= request.getSession(false);
SecurityContextHolder.clearContext();
if(session != null) {
session.invalidate();
}
for(Cookie cookie : request.getCookies()) {
cookie.setMaxAge(0);
}
Prasanna Kumar H A
Be an athlete - success is not the end,records are not the end and mainly failure is not at all the end. - Prasi D Great
Updated on June 14, 2022Comments
-
Prasanna Kumar H A almost 2 years
I want to get the session time out message when the session expires.Below is my spring-security.xml
<http auto-config="true" use-expressions="true"> <logout logout-success-url="/" invalidate-session="true" logout-url="/LogOut"/> <form-login login-page="/Login" username-parameter="Name" password-parameter="Pwd"/> <session-management invalid-session-url="/?timeout=true"> <concurrency-control max-sessions="1" expired-url="/Timeout?timeout=true" /> </session-management> </http>
According to my knowledge using above code when the session expired it should redirect to
/?timeout=true OR /Timeout?timeout=true
. And on logout it should go to/
. But in my case on logout also its redirecting toinvalid-session-url
so I am always getting timeout true for both normal logout and session timeout.Please help me to differentiate this.
UPDATE
/logout
request containssession = request.getSession(); session.invalidate(); session = null;
-
Prasanna Kumar H A about 8 yearsi tried by your answer, not able to get the session timeout always
-
FreezY about 8 years
expired-url
is for session expired which mean if app detect user with more thanmax-sessions
which in this case more than 1 session,then spring will redirect toexpired-url
. My answer is to make sure your logout doesnt go toinvalid-session-url
. If you want to make timeout that automatically log user out after certain time,you can use jquery. -
Prasanna Kumar H A about 8 yearsActually on logout if i remove session.invalidate also it is going to same
-
FreezY about 8 yearsSorry forgot one thing,If you want to use my answer, you need to remove <logout> in spring-security.xml. Can you tell how you want your system run?
-
Prasanna Kumar H A about 8 yearsOn logout SpringContext should clear,session should be null and on session time out error message should come.
-
Prasanna Kumar H A about 8 yearsIs there any way to write filter for my spec
-
FreezY about 8 yearsYup,you're not using csrf,but by default,spring security will create one for you if you not disable csrf. Spring security is one type of filter. Please go through here first
-
Prasanna Kumar H A about 8 yearsupon mentioning invalidate-session='false' also for logout its redirecting to invalidate-url
-
Hector over 7 yearsWhat is the var URL in the 'After login page' snippet?
-
Hector over 7 yearsI dont understand What does this line do? response.sendRedirect(URL)
-
Prasanna Kumar H A over 7 yearsthat will load the URL whichever you will mention....it will redirect.....
response.sendRedirect("/errorLogin");
it will go tohttp:localhost:xxx/xxxx/errorLogin