48

How can I configure my (embedded) Tomcat Session Timeout in a Spring Boot Application?

public class SessionListener implements HttpSessionListener{

@Override
public void sessionCreated(HttpSessionEvent se) {
    se.getSession().setMaxInactiveInterval(5*60);
}

@Override
public void sessionDestroyed(HttpSessionEvent se) {

}}

I have a SessionListener but I have no idea in which class I have to add this Listener to the Context.

Michael Petch
  • 46,082
  • 8
  • 107
  • 198
Timo Ademeit
  • 675
  • 2
  • 7
  • 15
  • 1
    Also useful to know that, according to this article, the setting can't be updated in code and must be done through the properties file as the answers indidcate: https://www.baeldung.com/servlet-session-timeout. From that article: "there is no way to programmatically set the global session timeout" – Colm Bhandal Jun 14 '21 at 14:21

3 Answers3

86

server.session.timeout in the application.properties file is now deprecated. The correct setting is:

server.servlet.session.timeout=60s

Also note that Tomcat will not allow you to set the timeout any less than 60 seconds. For details about that minimum setting see https://github.com/spring-projects/spring-boot/issues/7383.

dm_tr
  • 4,265
  • 1
  • 6
  • 30
Daryl
  • 1,007
  • 1
  • 10
  • 10
  • spring boot 2.0 move – user1553728 Dec 20 '18 at 02:57
  • @user1553728 what? – Alex78191 Jan 22 '19 at 11:21
  • Note: in the embeded Tomcat server it is in minutes, so if you set a value smaller that 1 minute, it will have to wait 1 minute for the session to expire. – Remy Aug 09 '19 at 04:46
  • 1
    I'm using session timeout lower than 60 seconds successfully with a spring boot 2.2.6 and embedded tomcat 9! – Ghasem Sadeghi May 26 '20 at 15:09
  • @Daryl server.servlet.session.timeout=60s is not working when I deploy my spring boot(2.2.4) spring security(5.2.1) web application into stand alone tomcat(9).I tried with minute also – Supriya C S Jul 21 '20 at 08:43
  • @GhasemSadeghi Are you sure that your sub-60-second timeout actually times out in less than 60 seconds? I tried it today, just for experimentation, with 20s, and the timeout interval seemed to last 1 minute. I think we have embedded Tomcat 9 too. From what I read in the docs, Spring will allow you to set that setting to anything, even with Tomcat, but in the case of Tomcat, it will just round down to the nearest minute, or round up if you are below 1 minute. – Colm Bhandal Jun 14 '21 at 17:52
48
  • Spring Boot version 1.0: server.session.timeout=1200
  • Spring Boot version 2.0: server.servlet.session.timeout=10m
    NOTE: If a duration suffix is not specified, seconds will be used.
informatik01
  • 16,038
  • 10
  • 74
  • 104
user1553728
  • 790
  • 7
  • 6
43

You should be able to set the server.session.timeout in your application.properties file.

ref: http://docs.spring.io/spring-boot/docs/1.4.x/reference/html/common-application-properties.html

EDIT:

This property has changed in later versions of Spring Boot to server.servlet.session.timeout.

ref: https://docs.spring.io/spring-boot/docs/2.4.x/reference/html/appendix-application-properties.html#server.servlet.session.timeout

LucasP
  • 1,665
  • 16
  • 24
  • 2
    server.session.timeout= # Session timeout in seconds. – ThomasRS Sep 29 '17 at 20:48
  • 2
    In your application.properties `#session timeout (in secs for spring, in minutes for tomcat server/container) server.session.timeout=1` I tested it and is working! It turns out that tomcat take the property in minutes – Eduardo Nov 07 '17 at 21:34
  • This only works with the Embedded Tomcat of Spring Boot. When using war-Deployment, you have to add the `SessionListener` from the original question to the project by adding a `@Configuration` annotation on top of it. I would then suggest to use the standard property again by binding it with `@Value("${server.servlet.session.timeout}") Duration timeout` to the `SessionListener` and using that value with `se.getSession().setMaxInactiveInterval(timeout.toSeconds())`. – nasezoll May 16 '23 at 09:11