How to force session to expire after specified time?

Question

Using Spring-boot security I would like to force to expiry logged user session after specific amount of time (e.g. 15 minutes).

Since JSESSIONID cookie is used to identify logged user, I would expect this cookie has to be forced to expiry. If this is correct, how to do that? If not, what is the correct approach?

my current SecurityConfig:

@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    @Qualifier("userDetailsServiceImpl")
    private UserDetailsService userDetailsService;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                .csrf()
                .disable()
                .authorizeRequests()
                .antMatchers("/login").permitAll()
                .and()
                .authorizeRequests()
                .anyRequest().authenticated()
                .and()
                .logout().logoutUrl("/logout").deleteCookies("JSESSIONID").clearAuthentication(true).invalidateHttpSession(true)
                .and()
                .httpBasic();
    }

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth.authenticationProvider(authenticationProvider()).eraseCredentials(true);
    }

    @Bean
    public DaoAuthenticationProvider authenticationProvider() {
        final DaoAuthenticationProvider authProvider = new DaoAuthenticationProvider();
        authProvider.setUserDetailsService(userDetailsService);
        authProvider.setPasswordEncoder(encoder());
        return authProvider;
    }

    @Bean
    public PasswordEncoder encoder() {
        return new BCryptPasswordEncoder(11);
    }
}

Usually the session expiry is set in App Server, or in WebApp layer in web.xml — Jayr, May 30 '19 at 13:55
use _spring.session.timeout = 900_ via application.properties — Dirk Deyne, May 30 '19 at 16:46
@DirkDeyne I tried to set `spring.session.timeout = 10`. Then I logged sending authenticated request to obtain JSESSIONID cookie. Then tried to send request without authorization, just using JSESSIONID to authenticate. Requests were identified as authorized and returned data even if timeout expired already. JSESSIONID cookie expiry was set to ca 19 years in the future. — Radouxca, May 30 '19 at 20:00
@Radouxca sorry my bad, try _server.servlet.session.cookie.max-age_ ? — Dirk Deyne, May 30 '19 at 20:12
@DirkDeyne _server.servlet.session.cookie.max-age_ worked well. However, does this property set max-age for all cookies, or just for session cookie? — Radouxca, May 31 '19 at 07:01
if you create extra cookies, you can set the expiration date via ```somecookie.setMaxAge(...)``` — Dirk Deyne, May 31 '19 at 11:38

score 0 · Answer 1 · answered Jun 03 '19 at 10:53

0

I found related question here: Spring Boot Java Config Set Session Timeout.

Using server.servlet.session.timeout=60s worked well to force user session expire and no requirement to touch cookie

answered Jun 03 '19 at 10:53

Radouxca

144
1
7

How to force session to expire after specified time?

1 Answers1