0

This is remote server properties:

server.servlet.session.timeout=3m

SAme for my local.properties

also we have a config like this:

 http
                .sessionManagement()
                .sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
                .invalidSessionUrl("/login?invalidSession")//dokunma
                .maximumSessions(1)//
                .maxSessionsPreventsLogin(true)//
                .expiredUrl("/login?expired")
                .sessionRegistry(sessionRegistry());

We have a class like this:

@Bean // Http Listener
public HttpSessionListener httpSessionListener() {
    return new HttpSessionListener() {
        @Override
        public void sessionCreated(HttpSessionEvent se) {

            HttpSession session = se.getSession();

            if (session != null) {
              LoggerService.logger.info("sessionCreated sessionid: {}, setMaxInactiveInterval: {}, ipaddress: {}",
                        session.getId(), session.getMaxInactiveInterval(), SecurityUtil.getIpAddress());

I did this to see internal times.

But on server, i see this log:

sessionCreated sessionid: 342E6139B2FE108D26537C9D684FBFF3, setMaxInactiveInterval: 1800, ipaddress: null

It must be 180, not 1800. Why does it multiply?

We dont have any other codes to set this. For example:

request.getSession(false).setMaxInactiveInterval(11);

We dont have this. But i will use this if i cant find any solution.

For example, for remote, i changed to this:

server.servlet.session.timeout=44s

But what i see is:

sessionCreated sessionid: 7C3573FE7B5FB6C8939DF8BF60B1B550, setMaxInactiveInterval: 1800, ipaddress: null

Tomcat9 is doing this?

On my local, i use that properties to test.

So

server.servlet.session.timeout=44s

for my local and remote server database configurations for my local.

But this time:

 sessionCreated sessionid: 747E6BF3DCD061DFF306325FE4FD76B6, getMaxInactiveInterval: 60, ipaddress: 0:0:0:0:0:0:0:1
747E6BF3DCD061DFF306325FE4FD76B6    0:0:0:0:0:0:0:1 Session Created

What am i doing wrong?

FOr last test, i added this to success handler for my local but with remote properties:

  LoggerService.logger.info("onAuthenticationSuccess sessionid: {}, getMaxInactiveInterval: {}, ipaddress: {}",
                    session.getId(), session.getMaxInactiveInterval(), SecurityUtil.getIpAddress());

            request.getSession(false).setMaxInactiveInterval(55);

            LoggerService.logger.info("onAuthenticationSuccess sessionid: {}, getMaxInactiveInterval: {}, ipaddress: {}",
                    session.getId(), session.getMaxInactiveInterval(), SecurityUtil.getIpAddress());

If i put my username password, i can see this:

   : onAuthenticationSuccess sessionid: F796EA6C54D8BCA239A36E02C4A7A030, getMaxInactiveInterval: 60, ipaddress: 0:0:0:0:0:0:0:1

  : onAuthenticationSuccess sessionid: F796EA6C54D8BCA239A36E02C4A7A030, getMaxInactiveInterval: 55, ipaddress: 0:0:0:0:0:0:0:1

I also did this:

@Bean // Http Listener
public HttpSessionListener httpSessionListener() {
    return new HttpSessionListener() {
        @Override
        public void sessionCreated(HttpSessionEvent se) {

            HttpSession session = se.getSession();

            if (session != null) {
              LoggerService.logger.info("sessionCreated sessionid: {}, setMaxInactiveInterval: {}, ipaddress: {}",
                        session.getId(), session.getMaxInactiveInterval(), SecurityUtil.getIpAddress());

                session.setMaxInactiveInterval(55);

              LoggerService.logger.info("sessionCreated sessionid: {}, setMaxInactiveInterval: {}, ipaddress: {}",
                        session.getId(), session.getMaxInactiveInterval(), SecurityUtil.getIpAddress());

It is again same:

sessionCreated sessionid: FFA7DC9A6558951F1CB790AD9D804F88, getMaxInactiveInterval: 60, ipaddress: null
sessionCreated sessionid: FFA7DC9A6558951F1CB790AD9D804F88, getMaxInactiveInterval: 55, ipaddress: null
FFA7DC9A6558951F1CB790AD9D804F88    0:0:0:0:0:0:0:1 Session Created

For remote, i tested with same code and also it worked but i dont want to set programatically

sessionCreated before sessionid: 38EC29F7C9C45B34D1FDF05B1F90DC3A, getMaxInactiveInterval: 1800, ipaddress: 192.ss

sessionCreated after sessionid: 38EC29F7C9C45B34D1FDF05B1F90DC3A, getMaxInactiveInterval: 180, ipaddress: 192.ss

So, there are two problems:

  1. Why is application-remote-properties timeout value not working for local?
  2. Why is remote timeout multiplied by 10 (properties has 3m but log shows 1800s)
M. Deinum
  • 115,695
  • 22
  • 220
  • 224
Caner Aydın
  • 195
  • 2
  • 6
  • 18
  • You cannot change the session timeout for a remote server, the `server.*` properties only apply to a local embedded server. Also the interval cannot be less then one minute on tomcat as the session invalidation thread that Tomcat has runs once every minute, setting a session timeout less then one minute thus makes no sense. Also your security configuration will NOT influence the session timeout, so adding that to the question doesn't add any additional information. – M. Deinum Sep 24 '19 at 09:04
  • @M.Deinum but on remote, it is working with programming in security configuration? – Caner Aydın Sep 24 '19 at 09:16
  • Yes that will work because you then set it per individual session NOT globally for the server. That isn't configuration that is just a part of code executed on session creation, which is something different that globally configuring a server!. – M. Deinum Sep 24 '19 at 09:17
  • `on tomcat as the session invalidation thread that Tomcat has runs once every minute` on tomcat, it does not invalidate every one minute. I have to wait "1800" seconds. ' which is something different that globally configuring a server!' so what can I do? Why can not spring do this? Maybe docker instead of tomcat can work better? – Caner Aydın Sep 24 '19 at 09:23
  • Because Spring cannot control externally configured servers! Would be quiet e a suprise, your operations team setup a server, you deploy your application and suddenly there precisely configured server suddenly switches all session timeout to 3 minutes. Just because you deciced to do that (that impacts ALL the applications deployed on that server). Yes you have to wait 1800 seconds BUT the thread checking if a session is timed out runs every minute!. So setting it to something less (as you are doing with the 44s sample) is pretty much useless and that is why spring boot switches that minutes. – M. Deinum Sep 24 '19 at 09:24

1 Answers1

2

The server.* properties are used to control the embedded container used by Spring Boot. Spring Boot will create an instance of the servlet container using one of the ServletWebServerFactory instances. These classes use the server.* properties to configure the controlled servlet container (tomcat, jetty etc).

However when you are deploying the application as a war file to a Tomcat instance the server.* properties don't apply. They don't apply because a pre-configured servlet container is available (as it is a remotely running service). So deploying to a remote Tomcat will make the server.* properties useless.

Regarding the session timeout being in minutes. Spring Boot will convert the session.servlet.session.timeout property to minutes, so 44s or 55s will be automatically converted to 1 minute. Setting it to something less then a minute also will not make much sense as Tomcat invalidates session with a thread running each minute.

M. Deinum
  • 115,695
  • 22
  • 220
  • 224
  • But, server can read database url, password, etc from `application-server.properties` ? – Caner Aydın Sep 25 '19 at 10:14
  • And how is that related to configuring an embedded server? You can configure a datasource for your application and that has nothing to do with using an embedded or remote server. – M. Deinum Sep 25 '19 at 10:15
  • Because you said `the server.* properties don't apply.` . So it applies? – Caner Aydın Sep 25 '19 at 10:16
  • No it doesn't. Properties in the `server.` namespace are for **embedded containers only**. Those will **not** configure a remote server. Configuring a datasource has nothing to do with configuring an embedded servlet container. You can even do that in a standalone spring application. So all other properties apply for configuring your spring applicaiton but **not** the `server.* ` properties as Spring isn't controlling the remote server. – M. Deinum Sep 25 '19 at 10:17
  • So you say settings in `application-server.properties` work but can not configure server side settings, like session timeout? – Caner Aydın Sep 25 '19 at 10:21
  • 1
    That is what I have been saying from the start. – M. Deinum Sep 25 '19 at 10:22