Spring Security with custom session timeout [closed]

Question

I need an option to set session timeout from GUI. Currently we can change session timeout globally using configuration

server.session.timeout=120
server.session.cookie.max-age=120
server.session.timeout=120`

Also we can set session timeout for each session.

session.setMaxInactiveInterval(120);

But found no option to set session timeout globally on fly. Is there any way to do this using spring boot

Thanks in advance

Answer 1

I think you may need to use spring jdbc session or redis session so that you can have full control over session store.

Spring boot jdbc session gives a bean

@Autowired JdbcOperationsSessionRepository sessionRepository;

using that we can set idle timeout from controller.

Just add the dependencies and and add @EnableJdbcHttpSession for your configuration.

http://docs.spring.io/spring-session/docs/current/reference/html5/guides/httpsession-jdbc-boot.html#httpsession-jdbc-boot-sample

But looks like session tables are not created automatically, You man need to create tables manually. you can find statements in

org/springframework/session/jdbc/schema-*.sql

http://docs.spring.io/spring-session/docs/current/api/org/springframework/session/jdbc/JdbcOperationsSessionRepository.html

Edit: 1

Even if jdbc session provided a way to set global default timeout, i found it is not working properly. seems only solution is to set session timeout when user login first using following code.

session.setMaxInactiveInterval(120);

Answer 2

One way to achieve this:

1. Persist the login time of the user.
2. Make an ajax ping request from the GUI to the server at some frequency say 30 secs.
3. Get the user from the session and his session timeout interval when the ping request comes in.
4. Compare it with the current time and expire his session if interval exceeds.

Below code invalidates http session of the current user:

    public static void customLogout(HttpServletRequest request, HttpServletResponse response){

        CookieClearingLogoutHandler cookieClearingLogoutHandler = new CookieClearingLogoutHandler(AbstractRememberMeServices.SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY);

        SecurityContextLogoutHandler securityContextLogoutHandler = new SecurityContextLogoutHandler();

        cookieClearingLogoutHandler.logout(request, response, null);

        securityContextLogoutHandler.logout(request, response, null);

    }