Spring security logout after session timeout

Question

I'm having a problem logging out of the application after the session times out. I've configured the logout url:

<security:logout logout-url="/logout" logout-success-url="/" delete-cookies="JESSIONID"/>

and I have the logout form:

<form action="#" th:action="@{/logout}" method="POST">
    <input type="submit" th:value="#{btn.logout}"/>
</form>

The form tag adds the csrf parameter and logging out works well as long as the session is still active. But if I log in the application, leave it open long enough for the session to expire and then hit the logout button I get the error: HTTP Status 405 - Request method 'POST' not supported

I'd still like to keep the csrf validation and make it work as a POST request.

I don't understand why you have method="post" for the logout form? — smoggers, Aug 20 '15 at 20:56
spring security requires [POST by default if csrf is enabled](http://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#csrf-logout). See Rob's answer for an example if you require GET logout support: http://stackoverflow.com/a/20356111/2264997 — ikumen, Aug 20 '15 at 21:44
possible duplicate of [Spring Security 3.2.0RC2 logout url POST only?](http://stackoverflow.com/questions/20333176/spring-security-3-2-0rc2-logout-url-post-only) — ikumen, Aug 20 '15 at 21:45
I know I can disable the csrf and make it a GET but I'd still like to make it work as a POST if I can — Mircea Badescu, Aug 20 '15 at 21:57
sorry about the close vote. I don't think you can avoid a 405 in your situation - as soon as the session expires so does the csrf token. As the doc points out, you'll have to add some type of js to prompt the user before the session times out. — ikumen, Aug 20 '15 at 22:42

score 1 · Answer 1 · answered Feb 20 '17 at 20:30

I found the solution in the documentation: In your spring security configuration you have to add the following line:

<session-management invalid-session-url="/login" />

An example:

<form-login
    login-page="/login"
    default-target-url="/"
    authentication-failure-url="/login?error"
    username-parameter="username"
    password-parameter="password" />

<session-management invalid-session-url="/login" />

<form-login login-processing-url="/login" login-page="/login"/>
<logout logout-success-url="/" logout-url="/logout"/>

I hope it will help you.

score 0 · Answer 2 · answered Aug 20 '15 at 23:31

0

Set the Refresh HTTP header for just after session expiry. This will cause the page to reload itself just after the session expires, essentially logging you out.

answered Aug 20 '15 at 23:31

Neil McGuigan

46,580
12
123
152

score 0 · Answer 3 · answered Mar 12 '19 at 13:17

It is due to the fact that when session expires, the csrf token with the login form is no longer valid. And making a post request with invalid csrf token causes spring to give a 405 i.e. Method Not Supported Error.

Solution:

Add the following configuration in Http Security Configuration.

For Java Config:

.and().sessionManagement().invalidSessionUrl("/login")

For XML Config:

> <session-management invalid-session-url="/login" />

Spring security logout after session timeout

3 Answers3