Spring Boot session configuration questions

Question

I have a Spring Boot application and I can't seem to get my login session to last very long. I'm setting the following in application.properties:

spring.session.timeout = 180d
server.servlet.session.timeout = 180d

I have a couple of questions:

• What duration suffixes are allowed when specifying spring.session.timeout and server.servlet.session.timeout? I can't find this documented anywhere, just a note in these docs saying “If a duration suffix is not specified, seconds are used,” implying other durations are possible.

• Do I need to include spring-session in my POM? I don't care about session clustering or the stateful REST API support, and I want to avoid more startup time and configuration. I certainly don’t want to configure more persistence.

My primary concern is keeping me logged in to the website (ideally indefinitely).

I'm using Spring Boot 2.3.0-RELEASE.

Which version of Spring Boot are you using? – Eleftheria Stein-Kousathana Jun 02 '20 at 19:52 — Eleftheria Stein-Kousathana, Jun 02 '20 at 19:52

score 1 · Answer 1 · answered Jun 04 '20 at 17:43

If your are not using Spring Session, you should use the property server.servlet.session.timeout.

When specifying the timeout you have 3 options.

You can use the standard ISO-8601 format used by java.time.Duratio, for example P180D for 180 days.
You can use a simple format where the value and the unit are coupled, for example 180d for 180 days. You can find the supported units in this section of the Spring Boot reference docs.
Finally, you can use a long representation and the specified number will be interpreted as second, for example 200 for 200 seconds.

You do not need to include spring-session in your POM.

royatirek · Answer 2 · 2021-04-29T20:33:33.917

In Spring boot 2.4+. It might work in the below version but I did not test it.

I am using the below configuration. max-age sets the max-age in the cookie on the browser side and timeout sets the timeout in the MAX_INACTIVE_INTERVAL column in spring_session which I store in JDBC.

When I use only max-age, my cookie gets deleted from the backend database in 30 minutes. When I use the only timeout, the cookie gets deleted from the browser on the browser restart. Therefore, I have set max age to 30 days to persist the session in browser and timeout to 30 days to persist the session in db.

server:
  servlet:
    session:
      cookie:
        max-age: 30d
      timeout: 30d

My build.gradle for oauth looks like

    implementation 'org.springframework.boot:spring-boot-starter-data-jpa'
    implementation 'org.springframework.boot:spring-boot-starter-web'

    // for oauth
    implementation 'org.springframework.boot:spring-boot-starter-oauth2-client'
    implementation 'org.springframework.boot:spring-boot-starter-security'

    // to store session in jdbc
    implementation "org.springframework.session:spring-session-jdbc"

Helpful link

Spring Boot session configuration questions

2 Answers2