14

I'm developing an application with Spring Boot and Spring Security by starting the Application class in Eclipse with an embedded Tomcat. Every time I restart the server, my session disappears and I have to log in again which becomes quite annoying.

Is it possible to persist the sessions between server restarts?

I saw this other question on Stackoverflow where someone asks the opposite, which makes me think that this should actually work out-of-the-box:

How to disable Tomact session persistence in Spring Boot via Manager pathname?

I'm running Spring Boot 1.2.1 with Gradle.

btw, I know about Spring Loaded, but sometimes a server restart is unavoidable.

  • Did you check these posts : [JDBC Session Persistence](http://stackoverflow.com/questions/20507749/how-can-i-make-the-spring-security-stores-the-http-session-in-database-so-i-can?answertab=active#tab-top) & [FilterInvocationInterceptor Bean](http://stackoverflow.com/questions/1587423/spring-not-restoring-tomcat-persistent-sessions-to-session-registry-after-restar?answertab=active#tab-top) ? – lgd Feb 12 '15 at 14:16
  • also make sure everything you put in session is Serializable – Neil McGuigan Feb 12 '15 at 19:49

3 Answers3

17

According to the Spring this will be fixed in 1.3.0.M2 and eventually in 1.3.0.RELEASE

Then all you got to do is add the following line to your application.properties file.

server.session.persistent=true

In recent Spring versions this has been deprecated and replaced by:

server.servlet.session.persistent=true

Reference https://github.com/spring-projects/spring-boot/issues/2490

Update Tomcat, Jetty and Undertow to serialize session data when the application is stopped and load it again when the application restarts.

Persistent session are opt-in; either by setting persistentSession on the ConfigurableEmbeddedServletContainer or by using the property server.session.persistent=true.

Fixes gh-2490

Clyde
  • 7,389
  • 5
  • 31
  • 57
Faraj Farook
  • 14,385
  • 16
  • 71
  • 97
  • 6
    Yup, this is now fixed - also worth mentioning that devtools enables this flag by default. – Michael Berry Oct 20 '16 at 16:41
  • 1
    I have this and I still lose my Spring Authentications after server restart. :( – Hendy Irawan Jul 30 '17 at 07:41
  • If you have spring security enabled, make sure any custom objects that you put into SecurityContext is serializable, otherwise the restored session would be considered invalid by spring security. – Yuming Cao Jan 17 '21 at 01:06
  • For me also needed this configuration: `server.servlet.session.storeDir=/tmp/my-app-sessions` – hurelhuyag May 17 '22 at 08:35
8

I just figured this out myself. Everytime the application is started, Spring generates a new random temporary directory in /tmp for Tomcat's base directory (e.g. /tmp/tomcat.5990562997404648887.8080). Since it uses a different folder on each start, Tomcat has no way to restore the session.

This can be worked around by setting your own base directory with server.tomcat.basedir=/tmp. However, I don't consider this a fix since it requires setting an operating system specific directory, so I opened a bug about this: https://github.com/spring-projects/spring-boot/issues/2490

4

I solved it by using Redis to persist sessions info.

All you need to do is specify a few options in application.yml file:

server:
  servlet:
    session:
      persistent: true
spring:
  session:
    store-type: redis
  redis:
    host: localhost
    port: 6379
 ...

build.gradle

    plugins {
       id 'java'
       id 'io.spring.dependency-management' version '1.0.6.RELEASE'
       id 'org.springframework.boot' version '2.1.3.RELEASE'
   }
    ...
    // Spring Framework
    compile(
            'org.springframework.boot:spring-boot-starter-web',
            'org.springframework.boot:spring-boot-starter-data-jpa',
            'org.springframework.data:spring-data-redis',
            'org.springframework.boot:spring-boot-starter-security'
    )
    ...

Works perfect with Spring Boot 2.1.3

Alex
  • 1,986
  • 22
  • 23