Stop session prolongation in Spring project

Question

web.xml contain:

Spring security-context.xml have custom OAuth 2.0 authorisation filter:

...

As longer session valid attemptAuthentication method of myFilter was not called. If session expired attemptAuthentication method make request to REST API of custom OAuth 2.0 server to verify OAuth token validity (then redirect to login page or prolong session).

Session have 30 min timeout, OAuth token have 1 day timeout.

If user keep activity during 30 min - session automatically extended and user can be logged-in for many days when OAuth token become invalid!

How to invalidate session from first login access not from the time of last site access?

UPDATE Look also to my question on http://forum.spring.io/forum/spring-projects/security/725894-help-with-stoping-sesstion-prolongation

I read Servlet 2.1 specification. Seems that session is managed by container which provide Servlet API. It have session timeout to avoid memory overload from old inactive sessions.

So you have no control on session expiring. To achive my goal I can associate special creation timestamp with session and check it for expiring.

But as Will Keeling say this info already stored in session:

public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) {
  HttpServletRequest request = (HttpServletRequest) req;
  HttpSession session = request.getSession(false);
  if (session == null)
    logger.warn("session is null");
  else
    logger.warn("session created at {}", session.getCreationTime());

Will Keeling · Accepted Answer

You could possibly implement your own servlet filter which checks the session creation time and then invalidates the session if it is accessed after the fixed time period.

long oneDay = 86400000;
if ((System.currentTimeMillis() - session.getCreationTime()) > oneDay) {
    session.invalidate();
}

Stop session prolongation in Spring project

Answers (1)

Related Questions