How to get session time out message using Spring security

java spring spring-mvc session spring-security

19,464

Solution 1

I Solved it! by writing a filter instead depending on Spring-security.

If any one is interested they can use the below code :-

import java.io.IOException;
import java.io.PrintWriter;
import java.io.StringWriter;
import java.text.MessageFormat;

import javax.servlet.FilterChain;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.apache.log4j.Logger;
import org.springframework.web.filter.OncePerRequestFilter;

public class FilterToGetTimeOut extends OncePerRequestFilter {

    @Override
    public void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws IOException {
        try {
            if(request.getRequestURI().equals("/") || request.getRequestURI().equals("/Login/")){
                if(request.getSession().getAttribute("login") != null && (Boolean)request.getSession().getAttribute("login") == true){
                    response.sendRedirect(URL);     //After login page
                }
            } else if(request.getSession().getAttribute("login") == null && !request.getRequestURI().equals("/LogOut")){
                response.sendRedirect(request.getContextPath()+"/?timeout=true");   //If timeout is true send session timeout error message to JSP
            }
            filterChain.doFilter(request, response);
        } catch (Exception e) {
            //Log Exception

        }
    }
}

Add this filter in web.xml.

    <filter>
        <filter-name>FilterToGetTimeOut </filter-name> 
        <filter-class>package.FilterToGetTimeOut </filter-class> 
    </filter>
    <filter-mapping> 
        <filter-name>FilterToGetTimeOut</filter-name> 
        <url-pattern>/*</url-pattern> 
    </filter-mapping>

So now session also invalidates and I can handle the session timeout too.

Solution 2

I suggest you to logout using this:

HttpSession session= request.getSession(false);
    SecurityContextHolder.clearContext();
        if(session != null) {
            session.invalidate();
        }
        for(Cookie cookie : request.getCookies()) {
            cookie.setMaxAge(0);
        }

19,464

Author by

Prasanna Kumar H A

Be an athlete - success is not the end,records are not the end and mainly failure is not at all the end. - Prasi D Great

Updated on June 14, 2022

Comments

Prasanna Kumar H A almost 2 years
I want to get the session time out message when the session expires.Below is my spring-security.xml
```
<http auto-config="true" use-expressions="true">
    <logout logout-success-url="/" invalidate-session="true" logout-url="/LogOut"/>
    <form-login login-page="/Login" username-parameter="Name" password-parameter="Pwd"/>
    <session-management invalid-session-url="/?timeout=true">
        <concurrency-control max-sessions="1" expired-url="/Timeout?timeout=true" />
    </session-management>
</http>
```
According to my knowledge using above code when the session expired it should redirect to /?timeout=true OR /Timeout?timeout=true. And on logout it should go to /. But in my case on logout also its redirecting to invalid-session-url so I am always getting timeout true for both normal logout and session timeout.

Please help me to differentiate this.

UPDATE

/logout request contains
```
session = request.getSession();
session.invalidate();
session = null;
```
Prasanna Kumar H A about 8 years

i tried by your answer, not able to get the session timeout always
FreezY about 8 years

expired-url is for session expired which mean if app detect user with more than max-sessions which in this case more than 1 session,then spring will redirect to expired-url. My answer is to make sure your logout doesnt go to invalid-session-url. If you want to make timeout that automatically log user out after certain time,you can use jquery.
Prasanna Kumar H A about 8 years

Actually on logout if i remove session.invalidate also it is going to same
FreezY about 8 years

Sorry forgot one thing,If you want to use my answer, you need to remove <logout> in spring-security.xml. Can you tell how you want your system run?
Prasanna Kumar H A about 8 years

On logout SpringContext should clear,session should be null and on session time out error message should come.
Prasanna Kumar H A about 8 years

Is there any way to write filter for my spec
FreezY about 8 years

Yup,you're not using csrf,but by default,spring security will create one for you if you not disable csrf. Spring security is one type of filter. Please go through here first
Prasanna Kumar H A about 8 years

upon mentioning invalidate-session='false' also for logout its redirecting to invalidate-url
Hector over 7 years

What is the var URL in the 'After login page' snippet?
Hector over 7 years

I dont understand What does this line do? response.sendRedirect(URL)
Prasanna Kumar H A over 7 years

that will load the URL whichever you will mention....it will redirect..... response.sendRedirect("/errorLogin"); it will go to http:localhost:xxx/xxxx/errorLogin