Avoid Spring application log out on browser close

Question

I have a weird problem and not able to fix it.

The Problem :

I login to my Spring web application which has long session timeout, whenever I quit the browser and then reopen it, access my web-app and I see login page every time.

It works fine as long as browser is not closed. I thought that there is some problem with the chrome settings, but it's not. Also it happens with all the browsers.

My web.xml:

    <session-config>
        <session-timeout>10000</session-timeout>
        <cookie-config>
            <name>myapp</name>
            <http-only>true</http-only>
        </cookie-config>
        <tracking-mode>COOKIE</tracking-mode>
    </session-config>

My Spring Security configuration:

    <security:http auto-config="true" use-expressions="true">
        <security:intercept-url pattern="/resources/**" access="permitAll" />
        <security:intercept-url pattern="/login" access="permitAll" />
        <security:intercept-url pattern="/login/forgot" access="permitAll" />
        <security:intercept-url pattern="/login/resetpassword" access="permitAll" />
        <security:intercept-url pattern="/home/admin/**" access="hasAnyRole('ROLE_admin', 'ROLE_manager')" />
        <security:intercept-url pattern="/**" access="hasAnyRole('ROLE_admin', 'ROLE_manager','ROLE_user')" />
        <security:form-login 
            login-page="/login" 
            login-processing-url="/login" 
            authentication-failure-handler-ref="authenticationFailureFilter" 
            authentication-success-handler-ref="authenticationSuccessHandler"  
            username-parameter="email" 
            password-parameter="password" />
        <!-- enable csrf protection -->
        <security:csrf/>

    </security:http>

Is there any problem with my web.xml or Spring Security?

Answer 1

Please set the max age attribute of the cookie.

By default, -1 is returned, which indicates that the cookie will persist until browser shutdown.

Http Servlet Cookie Max Age