Spring Boot session timeout

Question

server.session-timeout seems to be working only for embedded tomcat.

I put a log statement to check the session max interval time. After deploying the war file manually to tomcat, I realized that default session timeout value (30 min) was being used still.

How can I set session timeout value with spring-boot (not for embedded tomcat, but for a stand-alone application server)?

Answer 1

I used ServletContextInitializer

import javax.servlet.ServletContext;
import javax.servlet.ServletException;
@Configuration
public class MyServletContextInitializer implements ServletContextInitializer {
    @Override
    public void onStartup(ServletContext servletContext) throws ServletException {
        servletContext.setSessionTimeout(1);
    }
}

Answer 2

Complementing the @Ali answer, you can also create a session.timeout variable in your application.yml file and use it in your class. This should work great with Spring Boot war and external Tomcat:

application.yml

  session:
    timeout: 480 # minutes

SessionListener (with @Configuration annotation)

import javax.servlet.http.HttpSessionEvent;
import javax.servlet.http.HttpSessionListener;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Configuration;

@Configuration
class SessionListener implements HttpSessionListener {

    @Value("${session.timeout}")
    private Integer sessionTimeout;

    @Override
    public void sessionCreated(HttpSessionEvent event) {
        event.getSession().setMaxInactiveInterval(sessionTimeout);
    }

    @Override
    public void sessionDestroyed(HttpSessionEvent event) {}

}

Answer 3

[Just in case someone finds this useful]

If you're using Spring Security you can extend the SimpleUrlAuthenticationSuccessHandler class and set the session timeout in the authentication success handler:

public class NoRedirectSavedRequestAwareAuthenticationSuccessHandler
       extends SimpleUrlAuthenticationSuccessHandler {

    public final Integer SESSION_TIMEOUT_IN_SECONDS = 60 * 30;

    @Override
    public void onAuthenticationSuccess(HttpServletRequest request,
                                        HttpServletResponse response,
                                        Authentication authentication)
                                        throws ServletException, IOException {

        request.getSession().setMaxInactiveInterval(SESSION_TIMEOUT_IN_SECONDS);

        // ...
    }


    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
            .anyRequest()
            .authenticated()
            .and()
            .formLogin()
            .loginProcessingUrl("/login")
            .successHandler(new NoRedirectSavedRequestAwareAuthenticationSuccessHandler())
            .failureHandler(new SimpleUrlAuthenticationFailureHandler())
            .and().httpBasic();
    }

}

Answer 4

Use HttpSessionListener

@Configuration
public class MyHttpSessionListener implements HttpSessionListener {
    @Override
    public void sessionCreated(HttpSessionEvent event) {
        event.getSession().setMaxInactiveInterval(30);
    }
}

Answer 5

Based on justin's answer showing how to set session timeout using an AuthenticationSuccessHandler with Spring Security, I created a SessionTimeoutAuthSuccessHandler:

public class SessionTimeoutAuthSuccessHandler extends SavedRequestAwareAuthenticationSuccessHandler {
  public final Duration sessionTimeout;

  public SessionTimeoutAuthSuccessHandler(Duration sessionTimeout) {
    this.sessionTimeout = sessionTimeout;
  }

  @Override
  public void onAuthenticationSuccess(HttpServletRequest req, HttpServletResponse res, Authentication auth) throws ServletException, IOException {
    req.getSession().setMaxInactiveInterval(Math.toIntExact(sessionTimeout.getSeconds()));
    super.onAuthenticationSuccess(req, res, auth);
  }
}

In use:

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

  @Override
  protected void configure(HttpSecurity http) throws Exception {
    http.authorizeRequests()
      .anyRequest().authenticated()
      .and().formLogin().loginPage("/login")
      .successHandler(new SessionTimeoutAuthSuccessHandler(Duration.ofHours(8))).permitAll()
      .and().logout().logoutUrl("/logout").permitAll();   
  }
...
}

Edit Extending from SavedRequestAwareAuthenticationSuccessHandler rather than SimpleUrlAuthenticationSuccessHandler to ensure that original requests is not lost after re-authentication.

Answer 6

In your application.properties

#session timeout (in secs for spring, in minutes for tomcat server/container)
server.session.timeout=1

I tested it and is working! It turns out that tomcat take the property in minutes

Answer 7

You've discovered, as I have, that there is no direct call in the Servlet API nor the Spring APIs for setting the session timeout. The need for it is discussed here and there, but it hasn't been addressed yet.

There's kind of a round-a-bout way to do what you want. You can configure a session listener that sets the timeout on the session. I came across an article with code examples at: http://fruzenshtein.com/spring-java-configuration-session-timeout

I hope that helps.

Answer 8

When you deploy a Spring Boot app to a standalone server, configuring the session timeout is done in the same way as it would be in any other war deployment.

In the case of Tomcat you can set the session timeout by configuring the maxInactiveInterval attribute on the manager element in server.xml or using the session-timeout element in web.xml. Note that the first option will affect every app that's deployed to the Tomcat instance.