15

According to the documentation of Spring Boot, session timeout can be configured by setting 

server.servlet.session.timeout= 300s

in application.properties file. In this post and in Spring Boot documentation it is also said so. But unfortunately this is not working for me.

Is there any other configuration to get expected result?

informatik01
  • 16,038
  • 10
  • 74
  • 104
Avijit Barua
  • 2,950
  • 5
  • 14
  • 35
  • 8
    The `server.*` properties will only work if you use the embedded container. If you are deploying to Tomcat those won't work as Spring Boot isn't controlling the container. – M. Deinum Jan 15 '19 at 07:45
  • @M.Deinum, Can you give me any suggestion about, how can I set session timeout in my project which is currently running on server ? – Avijit Barua Jan 15 '19 at 07:48
  • 1
    By including a `web.xml` or `web-fragment.xml` and set the session timeout in that way just as you regularly would do. – M. Deinum Jan 15 '19 at 07:49
  • @M.Deinum, Can you please give me any reference ? – Avijit Barua Jan 15 '19 at 07:50
  • A reference to what? Just check how you would set the session timeout in a regular web application. That applies here as well. – M. Deinum Jan 15 '19 at 07:52
  • @M.Deinum, Where I will have to put `web.xml` in spring boot project ? In resource folder ? – Avijit Barua Jan 15 '19 at 07:54
  • No as stated in the normal location the `WEB-INF` folder. It is a regular WAR you are deploying, there is no magic in there. – M. Deinum Jan 15 '19 at 07:54

5 Answers5

9

You can use Approach 1:

server.servlet.session.timeout=30s
server.servlet.session.cookie.max-age=30s

It is working fine for me

M. Deinum
  • 115,695
  • 22
  • 220
  • 224
vivekdubey
  • 484
  • 2
  • 7
7

I am posting answer because this scenario is new for me. And I haven't got proper solution step by step. According to the suggestion of M. Deinum I created a web.xml file under WEB-INF folder. Project structure is like 

src
 |_ main
     |_ java
     |_ resources
     |_ webapp
         |_ WEB-INF
              |_ web.xml

And in web.xml I configured <session-timeout>...</session-timeout>

My web.xml is like 

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xmlns="http://java.sun.com/xml/ns/javaee"
         xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
         id="WebApp_ID" version="2.5">


    <session-config>
        <session-timeout>5</session-timeout>
    </session-config>

</web-app>

And now session time of my webapp in server is working according to my configuration. Thanks goes to M. Deinum

Avijit Barua
  • 2,950
  • 5
  • 14
  • 35
7

A possible cause for this problem might be using @EnableRedisHttpSession. As explained in this answer:

By using @EnableRedisHttpSession you are telling Spring Boot that you want to take complete control over the configuration of Redis-based HTTP sessions. As a result, its auto-configuration backs off and server.servlet.session.timeout has no effect. If you want to use server.servlet.session.timeout then you should remove @EnableRedisHttpSession. Alternatively, if you want to use @EnableRedisHttpSession then you should use the maxInactiveIntervalInSeconds attribute to configure the session timeout.

Hope this helps someone.

Community
  • 1
  • 1
Nelly Mincheva
  • 380
  • 3
  • 8
4

server.servlet.session.timeout only works for spring boot embedded container.

If you want to deploy the application to an external container, implement HttpSessionListener and ServletRequestListener.

@Component
public class MyHttpSessionListener implements HttpSessionListener {
    @Value("${server.servlet.session.timeout}")
    Duration sessionTimout;

    @Override
    public void sessionCreated(HttpSessionEvent event) {
        event.getSession().setMaxInactiveInterval((int) sessionTimout.getSeconds());
    }
}

@Component
public class MyServletRequestListener implements ServletRequestListener {
    @Value("${server.servlet.session.timeout}")
    Duration sessionTimout;
    
    @Override
    public  void requestInitialized(ServletRequestEvent sre) {
        HttpSession sh = ((HttpServletRequest) sre.getServletRequest()).getSession(false);

        if (sh != null) {
            long t = sh.getCreationTime();
            long duration = (System.currentTimeMillis() - t) / 1000;

            if (duration > sessionTimout.getSeconds()) {
                sh.invalidate();
            }
        }
    }

}

Shapur
  • 498
  • 7
  • 17
1

Follow the below solution.

  1. Set the session time out in application.properties file like below.

    server.servlet.session.timeout=01m

  2. Specify the invalid session URL in WebSecurityConfiguration file like below

    http.sessionManagement().invalidSessionUrl("/sessionexpired");

  3. Configure the session expired mapping in controller class like below

    @RequestMapping(value = "/sessionexpired", method = RequestMethod.GET)
public ModelAndView sessionexpired(HttpServletRequest request,
         HttpServletResponse response) {

         return new ModelAndView("sessionexpired");

}
abdo Salm
  • 1,678
  • 4
  • 12
  • 22
Murali
  • 11
  • 1