Spring Session & Spring Security - session timeout handling not working

Question

When attempting to add spring-session to an existing Spring MVC project with spring-security, I get the following behavior (EDIT: with tomcat's session-timeout set to 1 minute for testing):

With the springSessionRepositoryFilter filter in web.xml commented-out, I am correctly booted to the login screen after a minute of inactivity
With the springSessionRepositoryFilter filter in web.xml active, I can continue to use the app at least 5 minutes after the last activity

Besides that, everything seems to work as expected - the session is persisted in redis & across webapp restarts, and logging out manually correctly invalidates the session.

Some snippets of my configuration - here is the invalid session handler configuration for spring-security, that will cause expired sessions to be redirected to a login page:

...
<beans:bean id="sessionManagementFilter" class="org.springframework.security.web.session.SessionManagementFilter">
    <beans:constructor-arg name="securityContextRepository">
        <beans:bean class="org.springframework.security.web.context.HttpSessionSecurityContextRepository"/>
    </beans:constructor-arg>
    <beans:property name="invalidSessionStrategy">
        <beans:bean class="my.CustomInvalidSessionStrategy"/>
    </beans:property>
</beans:bean>
...
<http>
    ...
    <custom-filter position="SESSION_MANAGEMENT_FILTER" ref="sessionManagementFilter"/>
    ...
    <logout delete-cookies="true" invalidate-session="true" logout-url="/signout.html" success-handler-ref="logoutSuccessHandler"/>
</http>

The web.xml 's filter chain looks like:

<filter>
    <filter-name>springSessionRepositoryFilter</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
    <filter-name>springSessionRepositoryFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

And (one of) the spring context files loaded contains:

<bean class="org.springframework.session.data.redis.config.annotation.web.http.RedisHttpSessionConfiguration"/>

<bean class="org.springframework.security.web.session.HttpSessionEventPublisher"/>

<bean class="org.springframework.data.redis.connection.jedis.JedisConnectionFactory"/>

Hopefully I'm just missing something really obvious!

Edit: The versions I used for the attempt was spring-security-4.0.4.RELEASE and spring-session-1.1.1.RELEASE

did you manage to find a solution to this? I'm having the same issue. Thanks — Charith De Silva, Mar 02 '17 at 06:11
What Redis do You use? self-provided or in a secure environment(eg Redis from some cloud providers) — snieguu, Aug 19 '19 at 20:04

score 1 · Answer 1 · answered Apr 18 '18 at 10:18

When using Redis session timeout is configured like this:

<bean class="org.springframework.session.data.redis.config.annotation.web.http.RedisHttpSessionConfiguration">
    <property name="maxInactiveIntervalInSeconds" value="10"></property>
</bean>

Spring Session & Spring Security - session timeout handling not working

1 Answers1