How to manage session in Spring web services?

Question

I have used Spring MVC and hibernate in my web service project. I want to handle user login sessions and session timeout. These services(ex :- login) can be accessed through web portal as well as Android/iOS device by the same customer. When one of these call to logout service, it should only logout for the current device and keep other login sessions unchanged.

Answer 1

The short answer for this is use Spring Security.

Spring Security is one of the excellent Java Security framework out there. It will help you to manage the user logged in sessions the way you want it. Integrating Spring Security with Spring MVC is very easy, because you already have Spring Beans configuration file. All you need is to create spring security authentication related changes to get it working.

I will not go in depth, rather recommend you to look into these tutorials:

• Spring Security Hello World Example
• Spring MVC Security Example using in-memory, UserDetailsService and JDBC Authentication
• Securing your REST API with Spring Security

I would strongly recommend you to look into this Stackoverflow thread.

To use http Sessions in Spring MVC, please follow the below links:

• Using Http Session With Spring Based Web Applications
• How to get Session Object In Spring MVC

Answer 2

Since you want logout user specific to the device from where you press logout, my idea is to use tokens, and maintain these in temporary database, for ex, user accessing your api via mobile will have some token generated and via web some other token should be generated and stored in database like

USERID----TOKEN----MODE-
1 --- abcde1233 --- web
2 --- abcde7878 --- mobile

So now you can logout user specific to device, its just an idea, not sure how efficient this might work for your problem.