13

I have created a SpringBoot MVC/Security app 1.2.2.RELEASE and my application.properties contains server settings like

#Tomcat port and contextPath details
server.port=8080
server.contextPath=/test
#server.session-timeout=120
server.sessionTimeout=120

The documentation states 

server.session-timeout= # session timeout in seconds

but the ServerProperties.java uses sessionTimeout;

If you look at the application.properties code I have posed, I have tried both independently and together, but I don't get timed out after 2 minutes, I don't have any other code explicitly written to perform any session handeling.

Has anyone come across this issue? What am I missing or doing wrong?

victor
  • 1,253
  • 3
  • 15
  • 22
  • 6
    Boot's [relaxed binding](http://docs.spring.io/spring-boot/docs/current/reference/htmlsingle/#boot-features-external-config-relaxed-binding) means that both `server.sessionTimeout` and `server.session-timeout` will configure `ServerProperies`' `sessionTimeout` property. Note that the unit is seconds, not minutes. – Andy Wilkinson Mar 18 '15 at 19:49
  • @Andy, thanks for the information, but that still does not explain why I don't get a time out, even if I set the value to 120 sec (2 minutes) – victor Mar 19 '15 at 09:09
  • That's why it's a comment rather than an answer – Andy Wilkinson Mar 19 '15 at 10:40
  • According to this, the timeout is not expressed in number of minutes: http://stackoverflow.com/questions/24561915/spring-boot-spring-security-session-timeout – pastafarian Aug 28 '15 at 22:30
  • Why would you get a timeout? The session will be cleaned up, if you are mixing this with Spring Security (not apparent from your question) it might be that that is configured wrongly. Also the timeout is ~ 2 minutes, depending on when the reaper thread is running, instead of 2 minutes it could actually be 3 minutes depending on the thread cleaning up the sessions. – M. Deinum Jun 22 '16 at 08:00
  • @victor did you ever solve this problem? – JayC Apr 28 '17 at 16:59

5 Answers5

10

I don't know for some reason only setting 

server.session.timeout=120

didn't work for me however, when I set both session timeout and cookie max age like below:

server.session.cookie.max-age=120
server.session.timeout=120

it works perfectly

Manish Kothari
  • 1,702
  • 1
  • 24
  • 34
  • it works because browser invalidates the cookie and doesn't send it to the server, therefore the server can't find the session – JohnnyAW Jun 09 '17 at 09:31
  • This way, the cookie gets invalidated, regardless of activity, therefore, you may be logged out while you are filling a form, and by the time you submit, you will be redirected. – Wilhelm Sorban Oct 17 '17 at 20:56
2

I'm not sure what this server.session.timeout is for because when I set it to a specific number, and monitor the session creation, the session expiry does not get changed.

I'm using spring session and redis integration, in my case, I need to set the maxInactiveIntervalInSeconds to be like 120(seconds), this can be done thru redisHttpSessionConfiguration.

And then if I go to redis to look for the session, I can see it's expiry is changed to 120 seconds and session timeout works.

One suggestion of mine would be that try to find out if you can configure the session's maxInactiveIntervalInSeconds(or similar) either programmatically or in the property file and monitor session changes.

Phoebe Li
  • 9,165
  • 2
  • 11
  • 13
2

(This applies to Spring 1.5.x at the time of this writing)

Note that if you're using Redis session @EnableRedisHttpSession (such as in the other comment @Phoebe Li's case), then the application property server.session won't be applied. You'll have to set it manually by code like this:

@EnableRedisHttpSession
public class HttpSessionConfig {
    @Bean
    public RedisOperationsSessionRepository sessionRepository(RedisConnectionFactory factory) {
        RedisOperationsSessionRepository sessionRepository = new RedisOperationsSessionRepository(factory);

        //Set the TTL of redis' key, which in turn will expire session when TTL is reached
        sessionRepository.setDefaultMaxInactiveInterval(15); //e.g. 15 seconds

        return sessionRepository;
    }I
}
EwyynTomato
  • 4,009
  • 1
  • 31
  • 39
1

In application.yml of my Spring Boot 2 app

# A negative value means that the cookie is not stored persistently and will be deleted when the Web browser exits
server:
  servlet:
    session:
      cookie:
        max-age: -1
      timeout: -1

With these settings JSESSIONID cookie expiration time is set to "When the browsing session ends".

naXa stands with Ukraine
  • 35,493
  • 19
  • 190
  • 259
0

You can try with adding this both statements.

server.session.cookie.max-age=120
server.session.timeout=120

You can find complete example on my blog here: http://www.onlinetutorialspoint.com/spring-boot/how-to-set-spring-boot-tomcat-session-timeout.html

Chandra Shekhar Goka
  • 824
  • 12
  • 19