2

Is it possible to turn off HTTP session timeout in Spring Security?

From this answer I see that the HTTP session timeout can be modified in web.xml like this: 

<session-config>
    <session-timeout>10</session-timeout>
</session-config>

But I did not find from the Spring Security manuals how to disable the timeout.

From this answer I see that the Spring Security uses a javax.servlet.http.HttpSession internally, which according to this manual page can be set to never expire by calling method setMaxInactiveInterval(0).

Therefore it should be possible to change the session timeout by obtaining the HttpSession (as shown here in an answer) and changing the maxInactiveInterval to 0. My question is, if I will do this the first time after the user has logged in, will the change persist in the HttpSession (i.e., in a next request, will the change in HttpSession will be still there?)

And is it possible to disable the session timeout in web.xml like this or not?

<session-config>
    <session-timeout>0</session-timeout>
</session-config>

And another question, what is the default HTTP session timeout in Spring Security?

Community
  • 1
  • 1
Rauni Lillemets
  • 2,299
  • 1
  • 26
  • 39
  • 1
    You really don't want to do this. They could last for years, and tie up resources all that time. Set a large timeout that won't inconvenience your users. I use eight hours, but I suspect I'm going to have to cut it to four on resource consumption grounds. – user207421 Aug 27 '14 at 08:34
  • Thank You for the comment, I did not think about this. Eight hours should be sufficient for my purposes. – Rauni Lillemets Aug 27 '14 at 08:42

1 Answers1

3

Yes.The snippet below will keep the HTTPSession alive unless the session is invalidated explicitly

<session-config>
    <session-timeout>0</session-timeout>
</session-config>
Kumar Abhinav
  • 6,565
  • 2
  • 24
  • 35