19

Is there any way of specifying session timeout in Spring? I can not specify it in web.xml. As I am using session scope bean in controller as follows

I have configured controller through spring xml files.

class xyzController{

     ABCSessionScopeClass objectWhichWillBeStoredInSession;
}

I can not use this either

session.setMaxInactiveInterval(60*60);

Is there any other way of doing this. I don't mind setting timeout per session or for all session at the same time.

JProgrammer
  • 1,135
  • 1
  • 10
  • 27
  • I'd like to know this as well. When I went through this, the *only* way I could change it was with setting in web.xml (or server.xml). – nickdos Aug 23 '12 at 00:51
  • What's wrong with setMaxInactiveInterval, isn't it a part of the servlet API? Some spring security tools call session.invalidate directly for example, and there are no problems with it. – Boris Treukhov Aug 23 '12 at 03:34
  • 1
    @BorisTreukhov There is nothing wrong in it. This is last option. I just want to make sure that is there any other alternative like specifying in configuration file or something. – JProgrammer Aug 23 '12 at 07:17

2 Answers2

24

Solution using Pure Spring MVC, sevlet context.xml 

<mvc:interceptors>
    <bean class="com.xxx.SessionHandler" />
</mvc:interceptors>

Handler Adapter

@Component
public class SessionHandler extends HandlerInterceptorAdapter {
    @Override
    public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
        request.getSession().setMaxInactiveInterval(60*60);
        return true;
    }
}

Assuming you are using spring security,

For each successful login i think best way is to create LoginSuccessHandler and specify authentication-success-handler for normal login as well as remember-me. 

@Service
public class LoginSuccessHandler extends SavedRequestAwareAuthenticationSuccessHandler {
    @Override
    public void onAuthenticationSuccess(
            HttpServletRequest request,
            HttpServletResponse response,
            Authentication authentication) throws ServletException, IOException {
        request.getSession().setMaxInactiveInterval(60*60);
        super.onAuthenticationSuccess(request, response, authentication);
    }

}

 

<http auto-config="true" use-expressions="true">
    <form-login login-page="/login"
        authentication-failure-url="/login.hst?error=true"
        **authentication-success-handler-ref="loginSucessHandler"** />
    <logout invalidate-session="true" logout-success-url="/home" logout-url="/logout" />
    <remember-me key="jbcp" **authentication-success-handler-ref="loginSucessHandler"**/>
    <session-management>
        <concurrency-control max-sessions="1" />
    </session-management>
</http>
stites
  • 4,903
  • 5
  • 32
  • 43
Jigar Parekh
  • 6,163
  • 7
  • 44
  • 64
-1

I was not able to find any way to specify session timeout value through any Spring configuration files. I was using <aop:scoped-proxy> bean so that I don't have to manage read/write value/object to session. Now, I also want the same for setting session timeout value, without using servlets API. But looks like there is no way to specify it other than web.xml file. So ended up using servlet api request.getSession() to set timeout period. I externalized time value so that I can easily change it without recompiling the code. If anyone found better approach then please feel free to post. If found better, I can accept that as an answer.

JProgrammer
  • 1,135
  • 1
  • 10
  • 27
  • You can specify session timeout using web.xml as described here: http://stackoverflow.com/questions/12932589/changing-the-default-session-timeout-of-a-spring-web-application – Ivan Nikitin Aug 26 '15 at 17:04
  • 1
    If you're using Spring Boot, you can specify session timeout in application.properties: server.session-timeout=86400 – Ivan Nikitin Aug 26 '15 at 17:04