-1

Hello everyone I've got my spring boot application on Apache Tomcat server and it works fine. But now I need to avoid session expiration for an specific user. How could I do that? I've been searching ways and found that handler interceptor could be useful for session management but I'm not sure. Thanks in advance!

Maya
  • 678
  • 1
  • 6
  • 12
  • *Why* do you want to avoid session expiration? – Makoto Aug 08 '17 at 16:43
  • It's a client requeriment. They want to avoid session expiration for an specific user. – Maya Aug 08 '17 at 16:53
  • Perhaps you are looking for https://stackoverflow.com/questions/2504590/how-can-i-use-spring-security-without-sessions OR https://stackoverflow.com/questions/24561915/spring-boot-spring-security-session-timeout OR http://www.baeldung.com/spring-security-session – Ram Aug 08 '17 at 16:54
  • 1
    Regardless of whether or not it's a requirement, *why* would one want to not have a user session expire? If that user has any sort of power, that's a *significant* security hole. – Makoto Aug 08 '17 at 16:54
  • Not exacty, I don't want to dismiss sessions at all, I just want to prevent a specific user to expire its session. Thansk anyway – Maya Aug 08 '17 at 17:01
  • Makoto you got a point in that but I need to do this, could you guide me to do it? – Maya Aug 08 '17 at 17:03
  • 1
    Not until you explain ***why***. This has the symptoms of an [XY problem](https://meta.stackexchange.com/questions/66377/what-is-the-xy-problem). – Makoto Aug 08 '17 at 17:21

1 Answers1

0

I am afraid there is no simple way to do it. Expiration timeout is common for all users of your application and controlled by the application server. In order to have a different timeouts for different users you should:

  1. implement some session wrapper over a native server session;
  2. set expiration timeout for native server sessions to the longest time that you will give to one of your user sessions;
  3. manage expiration timeout of your session wrappers by your own.

EDIT: In my opinion the best way to solve this issue is reconsidering of client's requirement (immortal user with admin rights is a bad idea for your application). Anyway customizing of security related parts of application is always risky and you should really know what you do.

briarheart
  • 1,906
  • 2
  • 19
  • 33
  • 1
    Personally I'd recommend not answering until we have more insight into the rationale. Your advice is sound and something I'd be saying, but the deeper issue of "why" still persists. – Makoto Aug 08 '17 at 16:56
  • @Makoto I agree, this is a strange requirement that can lead to a breach in application security. I'll edit my answer respectively. – briarheart Aug 08 '17 at 17:20