5

I’m working on a grails web application with spring security. I have a requirement for forcing a session expiration after a fixed set of time even if the session is active.

I think I can add filter and check for each request's last login time:

if (CURRENT_TIME - LAST_LOGIN > ABSOLUTE_SESSIO EXPIRATION) then FORCE LOGOUT

But the problem is that the session is still active on the server until the user makes request.

Is this possible to destroy session immediately after N minutes even if user is using the system? I was researching tomcat session management and how spring security handles it, but didn’t find any useful information.

Could anybody point me at some example? Has anybody implemented something similar?

condit
  • 10,852
  • 2
  • 41
  • 60
Andriy Budzinskyy
  • 1,971
  • 22
  • 28
  • see this discussion may help http://stackoverflow.com/questions/3771103/how-do-i-get-a-list-of-all-httpsession-objects-in-a-web-application. – kosa Oct 18 '12 at 20:34
  • Once you get hold of all active sessions, may be you can write a scheduler to enumerate the sessions and timeout the ones which are expired. May be simple (or) straight forward task. – kosa Oct 18 '12 at 20:35
  • On the other hand, why do you care? A session which isn't used by its user is just some unused bytes in memory or on the disk. Waiting for the next request or for the default timeout to delete them shouldn't cause much harm. – JB Nizet Oct 18 '12 at 20:42
  • 1
    You have to ask yourself, "does the requirement make sense?" If not, then I wouldn't worry too much about killing the session at a specific time. It could be whoever wrote the requirement doesn't understand the ins and outs of how sessions work. – mrswadge Oct 18 '12 at 21:08

1 Answers1

5

[Edit: An idea for killing the session at a specific time decided by the login time would be use a task scheduler like Quartz to schedule a task that is passed the session as a parameter. You could then schedule it to call a job that performs a session.invalidate() at a specific point in time. The task would be scheduled at login time.]

This is how I would do it, but it doesn't kill the session at the specific time you want. It relies on the user making a request. It's not fool proof, but you could make the application poll the site every minute or so via an AJAX call perhaps.

Set a session activation time on the users session. Then add a filter to the web application for all incoming requests that checks the (activation period + the allowed time) exceeds the current time. If it does not, then call session.invalidate();

i.e. on login

HttpSession session = request.getSession();
session.setAttribute( "activation-time", System.currentTimeMillis() );

Then add a filter to web.xml

<filter>
    <filter-name>SessionFilter</filter-name>
    <filter-class>com.something.SessionFilter</filter-class>
    <init-param>
        <param-name>max-period</param-name>
        <param-value>60000</param-value>
    </init-param>
</filter>
<filter-mapping>
    <filter-name>SessionFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

The filter would be something along the lines of...

package com.something;

import java.io.IOException;
import java.util.Date;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;

public class SessionFilter implements Filter {
    private long maxPeriod;

    public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
        HttpServletRequest request = (HttpServletRequest) req;
        HttpSession session = request.getSession( false );
        if ( session != null ) {
            long activated = (long) session.getAttribute( "activation-time" );
            if ( System.currentTimeMillis() > ( activated + maxPeriod ) ) {
                 session.invalidate();
            }
        }
        chain.doFilter(req, res);
    }

    public void init(FilterConfig config) throws ServletException {
        //Get init parameter
        if ( config.getInitParameter("max-period") == null ) {
             throw new IllegalStateException( "max-period must be provided" );
        }
        maxPeriod = new Long( config.getInitParameter("max-period") );
    }

    public void destroy() {
        //add code to release any resource
    }
}

If you need to invoke something when the session is invalidated then you can write a HttpSessionListener and configure in web.xml also.

mrswadge
  • 1,659
  • 1
  • 20
  • 43
  • 2
    Just to add up..Spring 3.0+ provides scheduling out of the box that should be sufficient for most use cases and you do not have to use Quartz. More [info](http://blog.springsource.org/2010/01/05/task-scheduling-simplifications-in-spring-3-0/) – Ravi Kadaboina Oct 20 '12 at 01:08