Geek Answers Handbook

How to Get Session Time Message Using Spring Security

I want to receive a session timeout message when the session expires. Below is my spring -security.xml

<http auto-config="true" use-expressions="true"> <logout logout-success-url="/" invalidate-session="true" logout-url="/LogOut"/> <form-login login-page="/Login" username-parameter="Name" password-parameter="Pwd"/> <session-management invalid-session-url="/?timeout=true"> <concurrency-control max-sessions="1" expired-url="/Timeout?timeout=true" /> </session-management> </http>

According to my knowledge, using the above code, when the session has expired, it should redirect to /?timeout=true OR /Timeout?timeout=true . And when you exit the system, it should go to / . But in my case, when I log out of the system and redirect it to invalid-session-url , so I always get a true timeout for both normal logout and the session.

Please help me differentiate this.

UPDATE

/logout contains

 session = request.getSession(); session.invalidate(); session = null;
+7
java spring spring-mvc spring-security session
source share
5 answers

I solved it! by writing a filter, depending on Spring-security.

If anyone is interested, he can use the code below: -

 import java.io.IOException; import java.io.PrintWriter; import java.io.StringWriter; import java.text.MessageFormat; import javax.servlet.FilterChain; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.apache.log4j.Logger; import org.springframework.web.filter.OncePerRequestFilter; public class FilterToGetTimeOut extends OncePerRequestFilter { @Override public void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws IOException { try { if(request.getRequestURI().equals("/") || request.getRequestURI().equals("/Login/")){ if(request.getSession().getAttribute("login") != null && (Boolean)request.getSession().getAttribute("login") == true){ response.sendRedirect(URL); //After login page } } else if(request.getSession().getAttribute("login") == null && !request.getRequestURI().equals("/LogOut")){ response.sendRedirect(request.getContextPath()+"/?timeout=true"); //If timeout is true send session timeout error message to JSP } filterChain.doFilter(request, response); } catch (Exception e) { //Log Exception } } }

Add this filter to web.xml .

  <filter> <filter-name>FilterToGetTimeOut </filter-name> <filter-class>package.FilterToGetTimeOut </filter-class> </filter> <filter-mapping> <filter-name>FilterToGetTimeOut</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>

So, the session is also invalid, and I can also handle the session timeout.

+5
source share

I suggest you log out using this:

 HttpSession session= request.getSession(false); SecurityContextHolder.clearContext(); if(session != null) { session.invalidate(); } for(Cookie cookie : request.getCookies()) { cookie.setMaxAge(0); }
+3
source share

In your case, what happens when a user logs out, the session is first invalid and the session control becomes a trigger. When session management comes in and it turns out that the session has already left, the sessionTimeout page will be redirected. Therefore, it is better to set the invalid exit tag session to false.

 <logout logout-success-url="/" invalidate-session="false" logout-url="/LogOut"/>
0
source share

Please define the request display for the logout URL in your controller and from there redirect it to the main page. e.g. replace your mapping below

 <http auto-config="true" use-expressions="true"> <logout logout-success-url="/logoutSucess" invalidate-session="true" logout-url="/LogOut"/> <form-login login-page="/Login" username-parameter="Name" password-parameter="Pwd"/> <session-management invalid-session-url="/?timeout=true"> <concurrency-control max-sessions="1" expired-url="/Timeout?timeout=true" /> </session-management>

define this / logoutSucess in the controller using @RequestMapping (value = "/ logoutSucess" method = RequestMethod.GET)

0
source share

I had a similar problem e.g.

  • If you are logged in with some user, say zzzz
  • You have closed the browser
  • Again you are trying to log in with the same user zzzz
  • Failed to log in with message to max out session

The code I have in my spring security file is:

 <session-management invalid-session-url="/?timeout=true"> <concurrency-control max-sessions="1" expired-url="/logout?timeout" />

I solved this problem by adding a session timeout entry to the web.xml file. I set the session timeout value to 5 minutes, built the application and deployed it. It works great.

Perhaps this will help someone.

Thanks Atul

0
source share

More articles:


All Articles