I've been working on a Web based Application on Spring MVC architecture. With the Java EE applications, I'm very much familiar that HttpSession can be timed out in either of these three ways
Invoking invalidate method(generally while logging out).
Setting session time out in web.xml.
Web server itself destroyes sessions objects when heap memory exceeds.
But in my Spring application, HttpSession gets timed out after I make my application idle for several hours eventhough none of the above reasons were causes. I really have no idea what is causing this.
The default session timeout in tomcat is defined in
<TOMCAT_HOME>/conf/web.xml
All configuration parameters of this file can be overridden in web.xml of the webapp.
If you need an infinite session timeout use -1 :
<session-config>
<session-timeout>-1</session-timeout>
</session-config>
Related
Trying to store my HttpSession using Redis in Spring Boot. All guides mention session timeout properties - like spring.session.timeout - and previously I used to define timeout in web.xml. Can't figure\find out the difference between those two.
When I comment out timeout in web.xml and use property - for example 1 minute timeout - it is not being 1 minute after deploy. Are those two ways connected somehow? Or those are completely different things?
UPD 1: Also I am using #EnableRedisHttpSession with no args, if that affects it
You can either set the session timeout (say 60 minutes) for all sessions in web.xml:
<session-config>
<session-timeout>60</session-timeout>
</session-config>
or on a per-session basis using
session.setMaxInactiveInterval(60*60);
the latter you might want to do in a authorizationSuccessHandler.
<form-login authentication-success-handler-ref="authenticationSuccessHandler"/>
My questions:
Are the two approaches mentioned above same ?
If not, how to set inactive timeout as described in second approach
via Spring Configuration XML?
What is the ideal approach to set set session timeout in spring
framework?
Are the two approaches mentioned above same ?
Yes, only difference is in former case session timeout is set by servlet container e.g tomcat and in later case its done by Spring.
If not, how to set inactive timeout as described in second approach
via Spring Configuration XML?
You have to write custom filter to set session timeout, as far as my knowledge goes there nothing where you can set session time out in Spring XML
What is the ideal approach to set set session timeout in spring
framework?
Let the session timeout handle by container like one you define in web.xml, if you are changing session time a lot in running app, then you can consider Spring managed session timeout by using interceptor.
I currently have a Spring 3 project and what I want to do is retrieve my session when the session expires. I have been doing some research and apparently the HttpSessionBindingListener can handle this although in a Spring project, I can't seem to figure out how to implement this properly. Within my session, I save a UserDetailsImpl object which contains my User object. Should I be implementing the HttpSessionBindingListener on the stated objects?
To be clear, what I want to do is retrieve the user's id from the session object before it expires.
EDIT: Apparently the HttpSessionBindingListener does not work properly in Websphere but it is okay in Tomcat. Are there any other alternatives?
You can also register listener in web.xml:
<listener>
<listener-class>com.example.MyHttpSessionListener</listener-class>
</listener>
And use method sessionDestroyed()
This is detailed describd in this answer: https://stackoverflow.com/a/3720512/516167
Inject Spring Application Context in this Listener like is described in this question:
How to inject dependencies into HttpSessionListener, using Spring?
Other possible solution are described here:
Logout/Session timeout catching with spring security
Good day. I'm developing a Java web app with Servlets\JSP using Tomcat 7.0. During request from client I put and object into the session and use forward. After the forward processing the same request the object can be retreived if the secure parameter is false otherwise it is not stored in session.
<session-config>
<session-timeout>15</session-timeout>
<cookie-config>
<http-only>true</http-only>
<secure>true</secure>
</cookie-config>
<tracking-mode>COOKIE</tracking-mode>
</session-config>
I've figured out that "...cookies can be created with the 'secure' flag, which ensures that the browser will never transmit the specified cookie over non-SSL...". I've configured Tomcat to use SSL, but that haven't helped. Changing the tracking mode to SSL haven't helped as well. How do session-config and HttpSession object correlate in this case? What could be the problem?
I'm looking to disable jsessionid from being used in the https headers.
Is there a way to turn this off or disable this being set as a cookie in tomcat 7?
I either want the jsessionid to arrive embedded into a GET method url name value pairs or to be part of a POST request name value pairs.
I know all the advantages and disadvantages of using cookie based sessioning and url rewriting but I have specific needs for specific impl of restful web services.
I need tomcat 7 to accept jsessionid without using the http header: jsessionid.
Thanks.
UPDATE:
so I looked around some more and found this which is implemented using the web.xml conf.
However the following doesn't seem to work with Tomcat 7.
<session-config>
<tracking-mode>URL</tracking-mode>
</session-config>
is it a case of TC7 not fully implementing the servlet 3.0 spec?
The web.xml setting works for me with Tomcat 7.0.20.
Log and check the effective (and maybe the default) session tracking modes:
logger.info("default STM: {}" , servletContext.getDefaultSessionTrackingModes());
logger.info("effective STM: {}" , servletContext.getEffectiveSessionTrackingModes());
Maybe your app override somewhere in the code the session tracking modes. An example:
final Set<SessionTrackingMode> trackingModes =
Collections.singleton(SessionTrackingMode.COOKIE);
servletContext.setSessionTrackingModes(trackingModes);
Check ServletContext.setSessionTrackingModes() calls in your code.
It's also possible to set default session tracking modes in the Tomcat's context settings but I found that web.xml settings override them.