Tomcat Spring Security - set session cookie expiration time

Question

I'm building a web application based on an embeded Tomcat - 7.0.55, Spring-Boot-1.1.6, Spring-webmvc/core - 4.0.7 and Spring-Security - 3.2.5.

My configuration looks like this:

@Configuration
public class ServletCtxConfig {

    @Bean
    @Profile({ Profiles.PRODUCTION, Profiles.QA, Profiles.DEV })
    EmbeddedServletContainerFactory servletContainerFactory() {
        TomcatEmbeddedServletContainerFactory retVal = new TomcatEmbeddedServletContainerFactory();
        retVal.setContextPath("contextPath");
        retVal.setTomcatContextCustomizers(Arrays.asList(contextCustomizer()));
        retVal.setPort(111);
        Connector httpConnector = new Connector("org.apache.coyote.http11.Http11NioProtocol");
        httpConnector.setPort(123);
        httpConnector.setRedirectPort(456);
        retVal.addAdditionalTomcatConnectors(httpConnector);

        return retVal;
    }

    @Bean
    CustomCustomizer contextCustomizer() {
        return new CustomCustomizer();
    }

}

class CustomCustomizer implements TomcatContextCustomizer {

    @Value("${session.timeout:10080}")
    Integer sessionTimeOut;

    @Override
    public void customize(Context context) {
        context.setSessionCookieName("comilion-fw");
        context.setSessionTimeout(sessionTimeOut);
        context.setUseHttpOnly(false);
    }
}

I am able to set the session expiration time but it is not reflected on the cookie expiration time on the browser. Can some one please instruct me how to set the cookie expiration time?

CAn you please show us your configuration for session management so that we can determine if there are faults within it? — Aeseir, Oct 03 '14 at 03:17

score 2 · Answer 1 · edited May 23 '17 at 11:50

2

Try to access the servlet context during a web app init stage and set the value like this:

servletContext.getSessionCookieConfig().setMaxAge(600);

Have a look at WebApplicationInitializer and SpringServletContainerInitializer

And if you still somehow run web app using web.xml here you go jsessionid-cookie-with-expiration-date-in-tomcat

edited May 23 '17 at 11:50

Community

1
1

answered Oct 02 '14 at 13:08

Grzegorz Solecki

308
1
11

1

Thanks for your answer but I'm looking for an solution that comes from the Spring-Security framework(Since such a change might change the framework behaviour) – Modi Oct 03 '14 at 06:17

score 0 · Answer 2 · answered Feb 16 '16 at 13:35

What I'v done eventually, is customizing the EmbeddedServletContainerFactory as follow:

    @Bean
    EmbeddedServletContainerFactory servletContainerFactory() {
    logger.debug("Raising Embedded servlet container with port: ", port, " and context path: ", contextPath);
    TomcatEmbeddedServletContainerFactory retVal = new TomcatEmbeddedServletContainerFactory() {
        @Override
        protected void postProcessContext(Context context) {
            SecurityConstraint securityConstraint = new SecurityConstraint();
            securityConstraint.setUserConstraint("CONFIDENTIAL");
            SecurityCollection collection = new SecurityCollection();
            collection.addPattern("/*");
            securityConstraint.addCollection(collection);
            context.addConstraint(securityConstraint);
        }
    };
    retVal.setContextPath(contextPath);
    retVal.setTomcatContextCustomizers(Arrays.asList(contextCustomizer()));
    retVal.addAdditionalTomcatConnectors(this.createConnection());
    return retVal;
}

@Bean
CustomCustomizer contextCustomizer() {
    return new CustomCustomizer();
}

class CustomCustomizer implements TomcatContextCustomizer {

    @Value(Properties.$_SESSION_TIMEOUT)
    Integer sessionTimeOut;

    @Override
    public void customize(Context context) {
        context.setSessionCookieName("XXX");
        context.setSessionTimeout(sessionTimeOut);
}
}

Tomcat Spring Security - set session cookie expiration time

2 Answers2