Spring Security session timeout is too short
10,904
There is only the session timeout, but no additional timeout in spring security (except the one for the remember me token, but this is a different thing).
You can configure the session timeout within the web.xml
:
<web-app>
<session-config>
<!-- in minutes -->
<session-timeout>60</session-timeout>
</session-config>
</web-app>
Comments
-
Tony almost 2 years
I don't know how, but session timeout is incredibly short. As I know Spring Security session timeout depends on default server's session configurations. I've found out that GlassFish timeout is 1800 sec(10 min). But I think session removes every 5 minutes. How could this happened? This is my Spring Security configurations:
<beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.2.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd"> <!-- enable use-expressions --> <http auto-config="true" use-expressions="true"> <intercept-url pattern="/adminRole/**" access="hasRole('ROLE_ADMIN')" /> <intercept-url pattern="/userRole/**" access="hasRole('ROLE_USER')" /> <!-- access denied page --> <access-denied-handler error-page="/403" /> <form-login login-page="/" default-target-url="/resolveRoles" authentication-failure-url="/?error" username-parameter="username" password-parameter="password" /> <remember-me key="key" token-validity-seconds="2419200" /> <logout logout-success-url="/?logout" /> <!-- enable csrf protection --> </http> <!-- Select users and user_roles from database --> <authentication-manager> <authentication-provider> <password-encoder hash="sha"/> <jdbc-user-service data-source-ref="dataSource" users-by-username-query= "select username,password, enabled from smsc.users where username=?" authorities-by-username-query= "select username, role from smsc.user_roles where username =? " /> </authentication-provider> </authentication-manager> </beans:beans>