How to get session time out message using Spring security

Question

I want to get the session time out message when the session expires.Below is my spring-security.xml

Answer 1

In your case what happens is when a user logout, the session is first invalidated then session management will get trigger. When session management come in, and found out the session has already gone, then sessionTimeout page will be redirect. So it will be better to set the invalidate-session of logout tag as false.

<logout logout-success-url="/" invalidate-session="false" logout-url="/LogOut"/>

Answer 2

I had similar issue, like

1. If you logged in with some user say zzzz
2. You closed the browser
3. Again you are trying to login with same user zzzz
4. It failed to login with message for maximum session exceeded

The code I have on my spring security file is:

<session-management invalid-session-url="/?timeout=true">
<concurrency-control max-sessions="1" expired-url="/logout?timeout" />

I solved this issue by adding the session timeout entry in web.xml file. I put the session timeout value as 5 min, build the application and deployed. Its working fine.

Might be this will help someone.

Thanks, Atul

Answer 3

I suggest you to logout using this:

HttpSession session= request.getSession(false);
    SecurityContextHolder.clearContext();
        if(session != null) {
            session.invalidate();
        }
        for(Cookie cookie : request.getCookies()) {
            cookie.setMaxAge(0);
        }

Answer 4

Please define request mapping for logout-success url in your controller and from there redirect to home page. for example replace your mapping as below

<http auto-config="true" use-expressions="true">
<logout logout-success-url="/logoutSucess" invalidate-session="true" logout-url="/LogOut"/>
<form-login login-page="/Login" username-parameter="Name" password-parameter="Pwd"/>
<session-management invalid-session-url="/?timeout=true">
    <concurrency-control max-sessions="1" expired-url="/Timeout?timeout=true" />
</session-management>

define this /logoutSucess in controller with @RequestMapping(value="/logoutSucess" method=RequestMethod.GET)

Answer 5

I Solved it! by writing a filter instead depending on Spring-security.

If any one is interested they can use the below code :-

import java.io.IOException;
import java.io.PrintWriter;
import java.io.StringWriter;
import java.text.MessageFormat;

import javax.servlet.FilterChain;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.apache.log4j.Logger;
import org.springframework.web.filter.OncePerRequestFilter;

public class FilterToGetTimeOut extends OncePerRequestFilter {

    @Override
    public void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws IOException {
        try {
            if(request.getRequestURI().equals("/") || request.getRequestURI().equals("/Login/")){
                if(request.getSession().getAttribute("login") != null && (Boolean)request.getSession().getAttribute("login") == true){
                    response.sendRedirect(URL);     //After login page
                }
            } else if(request.getSession().getAttribute("login") == null && !request.getRequestURI().equals("/LogOut")){
                response.sendRedirect(request.getContextPath()+"/?timeout=true");   //If timeout is true send session timeout error message to JSP
            }
            filterChain.doFilter(request, response);
        } catch (Exception e) {
            //Log Exception

        }
    }
}

Add this filter in web.xml.

    <filter>
        <filter-name>FilterToGetTimeOut </filter-name> 
        <filter-class>package.FilterToGetTimeOut </filter-class> 
    </filter>
    <filter-mapping> 
        <filter-name>FilterToGetTimeOut</filter-name> 
        <url-pattern>/*</url-pattern> 
    </filter-mapping> 

So now session also invalidates and I can handle the session timeout too.