Session Timeout is not working Spring Boot?

Question

I have set the following property

server.servlet.session.timeout=30s

in my application properties but the session time out is not triggerd. but after setting

server.servlet.session.cookie.max-age=30s

the session time out got trigger but following code for updating logout time is not getting triggerd.

 @Component
    public class LogoutListener implements ApplicationListener<SessionDestroyedEvent> {
     
   @Override
        public void onApplicationEvent(SessionDestroyedEvent event)
        {
            List<SecurityContext> lstSecurityContext = event.getSecurityContexts();
            UserDetails ud;
            for (SecurityContext securityContext : lstSecurityContext)
            {
                ud = (UserDetails) securityContext.getAuthentication().getPrincipal();
        
                us.findAllUsersByEmail(ud.getUsername()).get(0).setLastLogout(LocalDateTime.now());
                System.out.println("lastloginspec : " + ud.getUsername() + " : 00 : " + LocalDateTime.now());
            }
        }
        
        }
    
    
    @Bean
        public ServletListenerRegistrationBean<HttpSessionEventPublisher> httpSessionEventPublisher() {
            return new ServletListenerRegistrationBean<HttpSessionEventPublisher>(new HttpSessionEventPublisher());
    }

Could any one Help me out ?

Answer 1

I have implemented the session listener by following way.

1. Create a custom http session listener.

   @Component
   public class CustomHttpSessionListener implements HttpSessionListener{
   
   private static final Logger LOG= LoggerFactory.getLogger(Test.class);
   
    @Override
    public void sessionCreated(HttpSessionEvent se) {
        LOG.info("New session is created.");
        UserPrincipal principal = (UserPrincipal) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
   
    }
   
    @Override
    public void sessionDestroyed(HttpSessionEvent se) {
        LOG.info("Session destroyed.");
        UserPrincipal principal = (UserPrincipal) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
   
   
    }}
   

2. Invoke new ServletListenerRegistrationBean and add CustomHttpListener to it and annotate it as @Bean.

   @Autowired private CustomHttpSessionListener customHttpSessionListener;
   
   @Bean 
   public ServletListenerRegistrationBean<CustomSessionListner>sessionListenerWithMetrics() {  ServletListenerRegistrationBean<CustomSessionListner>
        listenerRegBean = new ServletListenerRegistrationBean<>();
        listenerRegBean.setListener(customHttpSessionListener);
        return listenerRegBean;
   }
   

3. Adding a property to application.properties

   server.servlet.session.timeout = 15m

Answer 2

• This is not a full answer, but a step to isolate and troubleshoot. Replace your LogoutListener with and see when you start the application if it is printing any events. If it is not printing your issue is not specific SessionDestroyedEvent instead generic to your listener.

     @Component
     public class LogoutListener 
         implements ApplicationListener<ApplicationEvent> {

     @Override
     public void onApplicationEvent(ApplicationEvent event)
     {
        System.out.println("event caught at  LogoutListener: " + event);
      }

    }

• And also add this to application.properties to see if event is fired as it should log Publishing event:

    logging.level.org.springframework.security.web.session.HttpSessionEventPublisher=DEBUG