You can either set the session timeout (say 60 minutes) for all sessions in web.xml:
<session-config>
<session-timeout>60</session-timeout>
</session-config>
or on a per-session basis using
session.setMaxInactiveInterval(60*60);
the latter you might want to do in a authorizationSuccessHandler.
<form-login authentication-success-handler-ref="authenticationSuccessHandler"/>
My questions:
Are the two approaches mentioned above same ?
If not, how to set inactive timeout as described in second approach
via Spring Configuration XML?
What is the ideal approach to set set session timeout in spring
framework?
Are the two approaches mentioned above same ?
Yes, only difference is in former case session timeout is set by servlet container e.g tomcat and in later case its done by Spring.
If not, how to set inactive timeout as described in second approach
via Spring Configuration XML?
You have to write custom filter to set session timeout, as far as my knowledge goes there nothing where you can set session time out in Spring XML
What is the ideal approach to set set session timeout in spring
framework?
Let the session timeout handle by container like one you define in web.xml, if you are changing session time a lot in running app, then you can consider Spring managed session timeout by using interceptor.
Related
Trying to store my HttpSession using Redis in Spring Boot. All guides mention session timeout properties - like spring.session.timeout - and previously I used to define timeout in web.xml. Can't figure\find out the difference between those two.
When I comment out timeout in web.xml and use property - for example 1 minute timeout - it is not being 1 minute after deploy. Are those two ways connected somehow? Or those are completely different things?
UPD 1: Also I am using #EnableRedisHttpSession with no args, if that affects it
As long as I know the duration of the default session is 30 mins and I
wanna change this for my specific flow that I created using Spring
Webflow? My question is How can i achieve this?
I have researched and found some interesting articles and solutions but none of them seems to work for me and also their solution not straightforward
To change a single request's session we should set HttpSession's setMaxInactiveInterval right? So if it is, How and Where I should set it? IN SPRING WEBFLOW?
HttpSession session = request.getSession();
session.setMaxInactiveInterval(10*60);
To get to the raw HttpSession in Web Flow, you need to use the ExternalContext. Like this:
((HttpServletRequest)
RequestContextHolder.getRequestContext().getExternalContext()
.getNativeRequest())
.getSession())
https://docs.spring.io/spring-webflow/docs/current/api/org/springframework/webflow/context/ExternalContext.html#getNativeRequest--
I've been working on a Web based Application on Spring MVC architecture. With the Java EE applications, I'm very much familiar that HttpSession can be timed out in either of these three ways
Invoking invalidate method(generally while logging out).
Setting session time out in web.xml.
Web server itself destroyes sessions objects when heap memory exceeds.
But in my Spring application, HttpSession gets timed out after I make my application idle for several hours eventhough none of the above reasons were causes. I really have no idea what is causing this.
The default session timeout in tomcat is defined in
<TOMCAT_HOME>/conf/web.xml
All configuration parameters of this file can be overridden in web.xml of the webapp.
If you need an infinite session timeout use -1 :
<session-config>
<session-timeout>-1</session-timeout>
</session-config>
I currently have a Spring 3 project and what I want to do is retrieve my session when the session expires. I have been doing some research and apparently the HttpSessionBindingListener can handle this although in a Spring project, I can't seem to figure out how to implement this properly. Within my session, I save a UserDetailsImpl object which contains my User object. Should I be implementing the HttpSessionBindingListener on the stated objects?
To be clear, what I want to do is retrieve the user's id from the session object before it expires.
EDIT: Apparently the HttpSessionBindingListener does not work properly in Websphere but it is okay in Tomcat. Are there any other alternatives?
You can also register listener in web.xml:
<listener>
<listener-class>com.example.MyHttpSessionListener</listener-class>
</listener>
And use method sessionDestroyed()
This is detailed describd in this answer: https://stackoverflow.com/a/3720512/516167
Inject Spring Application Context in this Listener like is described in this question:
How to inject dependencies into HttpSessionListener, using Spring?
Other possible solution are described here:
Logout/Session timeout catching with spring security
What is the maximum time of user inactivity (session expiration time) when using spring security?
When is session expiration date updated? Does it update when we call SecurityContextHolder.getContext().getAuthentication() ? I.e. what is "user activity" for spring security?
Thanks!
Spring Security relies on session management support provided by servlet containers.
Session timeout can be configured in web.xml:
<session-config>
<session-timeout>30</session-timeout> <!-- in minutes -->
</session-config>
otherwise container's default value is used. You can override timeout for particular session using Session.setMaxInactiveInterval() (in seconds).
Session expiration date is updated when any request associated with that session comes in.