Spring Security session timeout is too short

java spring session spring-mvc spring-security
10,904

There is only the session timeout, but no additional timeout in spring security (except the one for the remember me token, but this is a different thing).

You can configure the session timeout within the web.xml:

<web-app>
   <session-config>
      <!-- in minutes -->
      <session-timeout>60</session-timeout>
   </session-config>
</web-app>
Share:
10,904
Tony
Author by

Tony

Java ape.

Updated on June 04, 2022

Comments

  • Tony
    Tony almost 2 years

    I don't know how, but session timeout is incredibly short. As I know Spring Security session timeout depends on default server's session configurations. I've found out that GlassFish timeout is 1800 sec(10 min). But I think session removes every 5 minutes. How could this happened? This is my Spring Security configurations:

    <beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans" 
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
    http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
    http://www.springframework.org/schema/security
    http://www.springframework.org/schema/security/spring-security-3.2.xsd">    



    <!-- enable use-expressions -->
    <http auto-config="true" use-expressions="true">

        <intercept-url pattern="/adminRole/**" access="hasRole('ROLE_ADMIN')" />

        <intercept-url pattern="/userRole/**" access="hasRole('ROLE_USER')" />

        <!-- access denied page -->
        <access-denied-handler error-page="/403" />

        <form-login 
            login-page="/" 
            default-target-url="/resolveRoles" 
            authentication-failure-url="/?error" 
            username-parameter="username"
            password-parameter="password" />
            <remember-me key="key" token-validity-seconds="2419200" />
        <logout logout-success-url="/?logout"  />
        <!-- enable csrf protection -->

    </http>



    <!-- Select users and user_roles from database -->
    <authentication-manager>
      <authentication-provider>
      <password-encoder hash="sha"/>      
        <jdbc-user-service data-source-ref="dataSource"
          users-by-username-query=
            "select username,password, enabled from smsc.users where username=?"
          authorities-by-username-query=
            "select username, role from smsc.user_roles where username =?  " />
      </authentication-provider>
    </authentication-manager>

</beans:beans>

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Spring Security logout and Maximum sessions
How to get session time out message using Spring security
How to enable session and set session timeout in Spring Security
How to get same session with Spring Security and Spring Session From multiple server
spring security get user id from DB
Spring security 401 Unauthorized even with permitAll
Could not verify the provided CSRF token because your session was not found
Integrating Spring Security with SiteMinder
Java Spring Security - User.withDefaultPasswordEncoder() is deprecated?
Step by step login example using spring security 3.0 with hdbc