I'm working on a SpringBoot application with an embedded Tomcat servlet container.
During the authentication workflow I would like to be able to define a session timeout accordingly to the roles of the user whose login-in.
For example an admin could have a session which would live for let's say 2 hours while a regular user would have a session duration of 1 hour.
After what the user would receive a HTTP 401 response status on his following requests to protected resources.
I'm currently using the server.servlet.session.timeout property but it only let me set this timeout value for everybody it's not individually configurable and that's not what I want.
I'm also aware of the setMaxInactiveInterval method available for the session but, correct me if I'm wrong, its purpose is to define the idle value between 2 requests after which it invalidates the session.
Again that's not what I want.
- Is there a way to programmatically define the duration of a user session on a case-by-case basis ?
- If not, how could I destroy / invalidate a session using a cron job (using a ScheduledFuture or whatever) ?
I could create some cron logic by listening toAuthenticationSuccessEventand invokeSecurityContextHolder.clearContext()once the defined timeout is reached but I'm not sure it would invalidate the session.
And I don't think I could invalidate it without having access to the session which can only be done through a request, right ?
Thanks for your help.
Edit 1: I think I misunderstood the usage of the server.servlet.session.timeout property, I thought it will kill the session after the specified time but it's more about the idle time between requests (more or less like the setMaxInactiveInterval method).
- So my third question would be : is there a way to specify the duration of a user session wether or not there is activity during this session (I can't find any property for this) ?
Edit 2: From what I understand from this response https://stackoverflow.com/a/40825334/11648839 maybe it would be interesting for me to work with the JSESSIONID cookie and its max-age value
