Reputation: 18597
Tomcat session cookie doesn't expire
I have a web application in Tomcat 7 which keeps user information in session as a DTO object. I also have Spring security enabled for my project which automatically redirects a user to a login page if the user does not have a session.
If I log in to my application once and then I restart Tomcat in Eclipse what happens is that my session gets flushed out but the cookie does not go.
What this means is that after server restart there is no UserDto in session but a valid JSESSIONID remains with browser. Thus spring security still thinks that the user is logged in when in fact he's not.
Why is this happening? (I have check the type of JSESSIONID cookie by viewing page info in Firefox it says - Expire: At end of session. Thus it should ideally expire at server restart or shouldn't it?)
Edit: Though Firefox says Expire: At end of session the cookie is still there if I close and restart Firefox.
Upvotes: 3
Views: 4934
Answers (4)
Reputation: 493
From Servlet 3.0 to add expire date to a cookie you can add cookie-config to your web.xml file
<session-config>
<session-timeout>30</session-timeout>
<cookie-config>
<max-age>1800</max-age>
</cookie-config>
</session-config>
Upvotes: 2
Reputation: 1
While you log in succesfully, SpringSecurity stores a cookie in your browser.
When the browser sends a request, SpringSecurity checks what's in the cookie. If SpringSecurity finds the value it stored before, it thinks you have logged in, so SpringSecurity won't redirect to the login page.
Upvotes: 0
Reputation: 259
Tomcat will generate a JSESSIONID automatically if you have used session in you web project.
If the session id changed then the JSESSIONID will changed corresponds. Because
the JSESSIONID indicates the seesion ID of the WEB project.
It will expire when the server stop(in default it will expire within 30 minutes), but the cookie cannot delete automatically.
JSESSIONID can configs in server.xml file of tomcat.
Upvotes: 1
Reputation: 48057
The cookie is held in the browser - when the server restarts, but the browser continues to run, it will hold onto the cookie and present this to the server on next request.
Now on the server side, you have multiple options: You can configure tomcat's SessionManager to persist on disk and read the content upon restart - this is an option that also is used to distribute sessions between multiple tomcats in a cluster: When the session is serialized to disk, any server can continue the session by "just" deserializing it. There's some cost implied (as you constantly need to serialize sessions)
Currently I can't give you more concrete hints than this - but if you look it up and understand the difference between where the cookie is stored, why it doesn't change on server restart and that you'll have to look up tomcat documentation of the session manager, you'll hopefully manage to figure it out.
Upvotes: 1
Related Questions
- Tomcat sessions expiring unexpectedly
- Cookie expiration is not working
- JSESSIONID Cookie with Expiration Date in Tomcat
- Tomcat Spring Security - set session cookie expiration time
- Java Servlet not deleting cookies
- From a servlet, how do I set a Cookie that never expires?
- Can cookies expire before session expires?
- Java Servlet : Cookies do not get deleted
- Tomcat session expired handling
- Session Lost when closing the browser