0

In my application, at lime of login I am creating a cookie(AAA). On Logout I am able to delete the cookie. At auto session timeout redirecting user to login page but not able delete(Expire) the cookie(AAA). I am using Jboss AS 7.1, spring-3.1 and spring-security in my application.

Following is http tag configuration in my security.xml

<http auto-config="true" use-expressions="true" entry-point-ref="customLoginUrlAuthenticationEntryPoint" disable-url-rewriting="true">
    <request-cache ref="httpSessionRequestCache"/>
    <session-management invalid-session-url="/ctx/login?invalid-session=true" session-authentication-error-url="/ctx/login?session-auth-error=true">
        <concurrency-control max-sessions="1"  expired-url="/ctx/login?expired=true" error-if-maximum-exceeded="true" />
    </session-management>

    <form-login authentication-success-handler-ref="customAuthenticationSuccessHandler"
                authentication-failure-handler-ref="customPageHandler"
                login-processing-url="/j_spring_security_check"/>

    <custom-filter before="ANONYMOUS_FILTER" ref="anonymousFilter"/>
    <custom-filter before="FORM_LOGIN_FILTER" ref="customFilter"/>
    <custom-filter before="LOGOUT_FILTER" ref="logoutFilter" />
</http>

I have tried the following options

Option 1- Created a HttpFilter to refresh the cookie and synchronizing the time between session and cookie.

Option 2- Created a HttpFilter for login page url(/login), Filter gets invoked for login page and delete the cookie.

Option 1 doesn't seem to work because I can see the cookie after session gets timedout. And the problem with option 2 is, if a logged user try to request the login page again from same browser with different tab, filter gets invoked and deletes the cookie. Which is bad. Because the cookie is required for further communication.

Could you please help me on what is the right way to delete the cookie.

Also I wanted to mention that filter gets invoked before HttPSessionListene#sessionDestroyed method.

VirtualLogic
  • 706
  • 1
  • 10
  • 25
  • What is your cookie for ? As you are using spring-security I presume it is not for session identification because that's allready managed by spring-sec. And if you have a session why do you try to sync another cookie with your session ? You will find references on cookie types in [this post](http://stackoverflow.com/questions/3869821/how-do-i-create-a-persistent-vs-a-non-persistent-cookie) – Serge Ballesta May 05 '14 at 15:50
  • we are doing cookie based authentication in other sub-system – VirtualLogic May 05 '14 at 15:58
  • Ok, but are you sure you really need to keep sessions in sync on the two systems ? I'm unsure that you can but you could also have a look to [CAS protocol](https://wiki.jasig.org/display/CASUM/Technical+Overview) as an implementation of authenticating an user in a central point for the benefit of multiple systems. Please note that this protocol uses session cookies and not permanent ones (see my previous comment for refs). – Serge Ballesta May 05 '14 at 16:57
  • That's right. But at this point of time I can not change any thing. If you can provide some direction with options left would be nice – VirtualLogic May 05 '14 at 17:29
  • You should provide more information about what you want to do and what you can do. Without more info, I can only ask you if you keep the value of cookie in you session. It could help to see if the cookie is valid (not in current session means invalid ...) – Serge Ballesta May 05 '14 at 17:58
  • Use case is: at time of login I need to create a cookie. Which I pass to another .NET application running on some other server. It does the cookie based authentication. Now if session gets timeout I need to delete the cookie. – VirtualLogic May 05 '14 at 20:03
  • If the session and timed out but there is non interaction from the browser to your app, I can't imagine how you could delete the cookie outside of a http request. Of course you could do some javascript, but it would be safer to directly warn the other app by the same way you first give it the cookie. You just have to keep its value in your session and inform the other app that the cookie is no longer valid at session end. – Serge Ballesta May 05 '14 at 20:46

1 Answers1

1

You have to delete the cookies on session timeout.
We have done following in our project :

  1. You are passing some parameters on login URL & on the basis of parameter values you might be deleting the cookies. We are using different URLs for login (/auth/login) & session timeout (/home/sessionExpired).

    In session-management tag set the URL

    <session-management session-authentication-strategy-ref="maxSessions"
    invalid-session-url="/home/sessionExpired"/>

  2. In Controller,

    @RequestMapping(value="/home/sessionExpired")
public String handleSessionTimeout(HttpServletRequest request, RedirectAttributes    
    redirectAttributes) {
    SecurityContextHolder.clearContext();
    HttpSession = request.getSession(false);
    if(session != null) {
        session.invalidate();
    }
    for(Cookie cookie : request.getCookies()) {
        cookie.setMaxAge(0);
    }
    //err.sessionexpired : make entry in properties file
    redirectAttributes.addFlashAttribute("message", "err.sessionexpired");
    return "redirect:/auth/login";
}

    Hope it will help you.

Nilam Patil - Naik
  • 75
  • 1
  • 2
  • 15