setting session timeout in Spring MVC

java spring session spring-mvc

45,962

Solution 1

I was not able to find any way to specify session timeout value through any Spring configuration files. I was using <aop:scoped-proxy> bean so that I don't have to manage read/write value/object to session. Now, I also want the same for setting session timeout value, without using servlets API. But looks like there is no way to specify it other than web.xml file. So ended up using servlet api request.getSession() to set timeout period. I externalized time value so that I can easily change it without recompiling the code. If anyone found better approach then please feel free to post. If found better, I can accept that as an answer.

Solution 2

Solution using Pure Spring MVC, sevlet context.xml

<mvc:interceptors>
    <bean class="com.xxx.SessionHandler" />
</mvc:interceptors>

Handler Adapter

@Component
public class SessionHandler extends HandlerInterceptorAdapter {
    @Override
    public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
        request.getSession().setMaxInactiveInterval(60*60);
        return true;
    }
}

Assuming you are using spring security,

For each successful login i think best way is to create LoginSuccessHandler and specify authentication-success-handler for normal login as well as remember-me.

@Service
public class LoginSuccessHandler extends SavedRequestAwareAuthenticationSuccessHandler {
    @Override
    public void onAuthenticationSuccess(
            HttpServletRequest request,
            HttpServletResponse response,
            Authentication authentication) throws ServletException, IOException {
        request.getSession().setMaxInactiveInterval(60*60);
        super.onAuthenticationSuccess(request, response, authentication);
    }

}

<http auto-config="true" use-expressions="true">
    <form-login login-page="/login"
        authentication-failure-url="/login.hst?error=true"
        **authentication-success-handler-ref="loginSucessHandler"** />
    <logout invalidate-session="true" logout-success-url="/home" logout-url="/logout" />
    <remember-me key="jbcp" **authentication-success-handler-ref="loginSucessHandler"**/>
    <session-management>
        <concurrency-control max-sessions="1" />
    </session-management>
</http>

45,962

Author by

JProgrammer

I am enthusiastic programmer having expertise in Java programming language. I am interested in developing distributed systems and high efficient data manipulation programs.

Updated on July 05, 2022

Comments

JProgrammer almost 2 years
Is there any way of specifying session timeout in Spring? I can not specify it in web.xml. As I am using session scope bean in controller as follows

I have configured controller through spring xml files.
```
class xyzController{

     ABCSessionScopeClass objectWhichWillBeStoredInSession;
}
```
I can not use this either
```
session.setMaxInactiveInterval(60*60);
```
Is there any other way of doing this. I don't mind setting timeout per session or for all session at the same time.
JProgrammer over 11 years

I am not using Spring security.
Jigar Parekh over 11 years

if you are not using spring security then you can also use <mvc:interceptors> and HandlerInterceptorAdapter. with Spring MVC.
Ivan Nikitin over 8 years

You can specify session timeout using web.xml as described here: stackoverflow.com/questions/12932589/…
Ivan Nikitin over 8 years

If you're using Spring Boot, you can specify session timeout in application.properties: server.session-timeout=86400