6

I'm learning Spring. Doing the login/logout functionality. This is what my controller looks like:

@RequestMapping(value="/successfulLoginAuth", method=RequestMethod.GET)
public ModelAndView postHttpLogin(HttpSession session, Authentication authInfo) 
{

ModelAndView mav = new ModelAndView();
mav.setViewName("redirect:/index.html");
session.setAttribute("authInfo", authInfo);

return mav;

}

The log in is performed via Spring Security using a dao service which I have implemented. That works fine.

This is the content of index.jsp:

<% 
    HttpSession session1 = request.getSession(false);
    Authentication authInfo; 
    if( (session1 != null) && 
        ( (authInfo = (Authentication)session1.getAttribute("authInfo")) != null) 
      )
    {

        out.print(" yo " + authInfo.getName() + " " + authInfo.getAuthorities().iterator().next().getAuthority());
    }
    else
    {
%>    
<a href="${pageContext.request.contextPath}/registration">New? Sign Up!</a><br/>

<a href="${pageContext.request.contextPath}/login">Existing? Sign In!</a><br/>
<%} %>

When i log in, and restart the server, I'm still logged in. Shouldn't the session information be lost after a server restart? If i restart the browser, it works as it should (ie the session info is lost).

This is my Spring Security configuration:

<http auto-config="true"  use-expressions="true">
        <intercept-url pattern="/" access="permitAll" />
        <intercept-url pattern="/logout" access="permitAll" />
        <intercept-url pattern="/accessdenied" access="permitAll" />
        <form-login login-page="/login" default-target-url="/successfulLoginAuth" authentication-failure-url="/accessdenied" />
        <logout logout-success-url="/logout" />
    </http>

<authentication-manager>
    <authentication-provider user-service-ref="myUserDetailsService"></authentication-provider>
  </authentication-manager>
Chinmay Shah
  • 85
  • 1
  • 1
  • 4

2 Answers2

11

I'm assuming you are using Tomcat, which uses a Manager component to persist sessions between application life-cycles. You can change all those settings in the Manager component configuration.

I think it also depends on the kind of changes you do. Eclipse's plugin for Tomcat server will decide if it should flush the serialized HttpSessions or not.

Sotirios Delimanolis
  • 274,122
  • 60
  • 696
  • 724
  • 2
    Thanks! This is a server config thing. Under context.xml i saw this line and made the change: Uncomment this to disable session persistence across Tomcat restarts: `` – Chinmay Shah Sep 27 '13 at 14:03
  • If you're wondering why your Tomcat does this and never set it up, look for a file named SESSIONS.ser somewhere in your temp directory - Tomcat saves this file as part of a correct shutdown procedure. – JohnEye May 27 '21 at 10:25
8

I am guessing you are using Tomcat,

From the Docs SaveOnRestart property 

Should all sessions be persisted and reloaded when Tomcat is shut down and restarted (or when this application is reloaded)? By default, this attribute is set to true.

You can control this by changing the property to false in your context.xml 

<Manager pathname="">
      <saveOnRestart>false</saveOnRestart>
</Manager>
Siva
  • 1,938
  • 1
  • 17
  • 36