How to know that a session is expired?

Question

I set values to the session object in the method of a controller after success of login :

    @RequestMapping(value = "/", method = RequestMethod.POST)
    public ModelAndView processLogin(Model model, HttpServletRequest request, HttpSession session, @RequestParam String login, @RequestParam String pwd) {

        if ( utilisateurDao.verifierLoginUser(login) ) {

            if ( utilisateurDao.verifierUser(login, pwd) ) {

                HashMap<String, String> criteres = new HashMap<String, String>();
                criteres.put("user_login", login);
                criteres.put("user_passwd", pwd);
                List<Utilisateur> users = utilisateurDao.lireParCritere(criteres);
                session.setAttribute("user_code", ((Utilisateur)users.get(0)).getUser_code());

                session.setAttribute("menu", menuDao.afficherMenuParUtilisateur((Integer)session.getAttribute("user_code"), env, request, session));

                criteres.clear();
                users.clear();

                criteres.put("user_code", String.valueOf(session.getAttribute("user_code")));
                users = utilisateurDao.lireParCritere(criteres);
                session.setAttribute("user_names", ((Utilisateur)users.get(0)).getNoms());

                session.setAttribute("logout_menu", env.getProperty("menu.logout"));

                return new ModelAndView("redirect:/accueil");

            } else {

                ModelAndView modelViewLogin = new ModelAndView("redirect:/");

                modelViewLogin.addObject("e", "p").addObject("l", login);

                return modelViewLogin;

            }

        } else {

            ModelAndView modelViewLogin = new ModelAndView("redirect:/");

            modelViewLogin.addObject("e", "l");

            return modelViewLogin;

        }

    }

Then I opened the app inactive for some minutes. After that I went to the "accueil" path. Then the menu was not shown anymore ! The menu was got from session. So how to know that the session is expired and where is the convenient place to test it ?

Answer 1

I check like below. I think it might be help.

public boolean isUserLoggedIn(HttpServletRequest request) throws IOException {
    SecurityContext securityContext = (SecurityContext) request.getSession().getAttribute("SPRING_SECURITY_CONTEXT");
    if(securityContext != null) {
        Authentication authentication =  securityContext.getAuthentication();
        if(null != authentication && authentication.isAuthenticated() != true) 
            return false;
        else 
            return true;
    } else {
        return false;
    }
}

Answer 2

You can make a Interceptor,

@Component
public class RequestInterceptor extends HandlerInterceptorAdapter

In this interceptor you can control the HttpServletRequest and check if obj exists into them and then you can throw to a new SessionExpiredException and catch with @ExceptionMapper (https://spring.io/blog/2013/11/01/exception-handling-in-spring-mvc)

@Override
public boolean preHandle(HttpServletRequest request,
        HttpServletResponse response, Object handler) throws Exception {
    if (request.getSession().getAttribute("user")==null) {
        throw new SessionExpiredException();
   }
        return true;
    }

Answer 3

By default in spring security session is stored in SessionRegistry.

By using SecurityContext you can get this info in your controller code.

  SecurityContext context = SecurityContextHolder.getContext();
  Authentication authentication = context.getAuthentication();

If you want to be notified when session has expired or person logged out you can always register listener on SessionDestroyedEvent- documentation.

example:

    @Component
    public class LogoutListener implements ApplicationListener<SessionDestroyedEvent> {

        @Override
        public void onApplicationEvent(SessionDestroyedEvent event) {
            //do your stuff here
        }
    }

Its also worth to refer to spring docs for that subject.