Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Spring Security with custom session timeout [closed]

I need an option to set session timeout from GUI. Currently we can change session timeout globally using configuration

server.session.timeout=120
server.session.cookie.max-age=120
server.session.timeout=120`

Also we can set session timeout for each session.

session.setMaxInactiveInterval(120);

But found no option to set session timeout globally on fly. Is there any way to do this using spring boot

Thanks in advance

like image 524
Jijesh Kumar Avatar asked Oct 18 '22 07:10

Jijesh Kumar


2 Answers

I think you may need to use spring jdbc session or redis session so that you can have full control over session store.

Spring boot jdbc session gives a bean

@Autowired JdbcOperationsSessionRepository sessionRepository;

using that we can set idle timeout from controller.

Just add the dependencies and and add @EnableJdbcHttpSession for your configuration.

http://docs.spring.io/spring-session/docs/current/reference/html5/guides/httpsession-jdbc-boot.html#httpsession-jdbc-boot-sample

But looks like session tables are not created automatically, You man need to create tables manually. you can find statements in

org/springframework/session/jdbc/schema-*.sql

http://docs.spring.io/spring-session/docs/current/api/org/springframework/session/jdbc/JdbcOperationsSessionRepository.html

Edit: 1

Even if jdbc session provided a way to set global default timeout, i found it is not working properly. seems only solution is to set session timeout when user login first using following code.

session.setMaxInactiveInterval(120);
like image 185
shams.kool Avatar answered Oct 21 '22 09:10

shams.kool


One way to achieve this:

  1. Persist the login time of the user.
  2. Make an ajax ping request from the GUI to the server at some frequency say 30 secs.
  3. Get the user from the session and his session timeout interval when the ping request comes in.
  4. Compare it with the current time and expire his session if interval exceeds.

Below code invalidates http session of the current user:

    public static void customLogout(HttpServletRequest request, HttpServletResponse response){

        CookieClearingLogoutHandler cookieClearingLogoutHandler = new CookieClearingLogoutHandler(AbstractRememberMeServices.SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY);

        SecurityContextLogoutHandler securityContextLogoutHandler = new SecurityContextLogoutHandler();

        cookieClearingLogoutHandler.logout(request, response, null);

        securityContextLogoutHandler.logout(request, response, null);

    }
like image 20
Siva Kumar Avatar answered Oct 21 '22 07:10

Siva Kumar