Reputation: 1
Session timeout of developed web app deployed using azure portal after 30 min idle state
I want my session to expire after 30 minutes of inactivity. The web application can only be used after logging in with a company-based ID, i.e., a Microsoft account ID. The application is deployed on the Azure Portal.
I have implemented the following code in application.yaml. Before this, I tried multiple options available on the internet, but none were successful. I even tried deleting the cookie and session, along with various other suggestions found online, but without success.
# Session timeout
server:
servlet:
session:
timeout: 30m
session:
cookie:
max-age: 30m
@Bean
fun sessionConfig(): Session {
val session = Session()
session.timeout = Duration.ofMinutes(30)
return session
}
The session should expire. What code changes or new implementations are required? Can we configure any session timeout for a deployed web app using only the Azure Portal? If not, please suggest the necessary code changes.
Upvotes: 0
Views: 52
Answers (1)
Reputation: 8694
To configure Session Timeout, Spring Security is the best choice in Spring boot application, refer the article.
This process invalidates the session after a specified period of inactivity and mitigates the security risks associated with unattended sessions and enhances the security of your application.
Configuration Class:
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.Customizer;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.session.HttpSessionEventPublisher;
@Configuration
@EnableWebSecurity
public class SpringSecurity {
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http
.sessionManagement(session -> session
.maximumSessions(1)
.maxSessionsPreventsLogin(true)
)
.headers(headers -> headers
.httpStrictTransportSecurity(Customizer.withDefaults())
)
.sessionManagement(session -> session
.sessionFixation().migrateSession()
.sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
.enableSessionUrlRewriting(false)
);
return http.build();
}
@Bean
public HttpSessionEventPublisher httpSessionEventPublisher() {
return new HttpSessionEventPublisher();
}
}
I have configured Session Timeout to 30 minutes with below code:
public class CustomAuthenticationSuccessHandler extends SimpleUrlAuthenticationSuccessHandler {
@Override
public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response,
Authentication authentication) throws IOException, ServletException, ServletException {
request.getSession().setMaxInactiveInterval(1800); //30 minutes (in seconds)
super.onAuthenticationSuccess(request, response, authentication);
}
}
application.properties:
server.servlet.session.timeout=30m
Response:
Upvotes: 0
Related Questions
- How can you configure session timeout in the Azure Portal?
- Azure Web App timeout issue with Telegram bot deployed
- Azure AD B2C logout after session timeout
- How to abandon Azure App Service session after logging out
- Azure Easy Auth Session timeout
- Session timeout is not sliding in Azure Redis Cache Session State Provider