0

Please correct me if I'm wrong, but according to my understanding, VaadinSession has the same time to live as its owner HTTP session.

So, in order to configure the timeout for both Vaadin and HTTP sessions, we can use the following Spring Boot property:

server.servlet.session.timeout=30m

Is it possible to separate the timeout for HTTP sessions from that of Vaadin sessions? For example, can I set the HTTP session timeout to 7 days and the Vaadin session timeout to 30 minutes? The idea here is to store generic information about the logged-in user, such as an OAuth token, in the HTTP session, and Vaadin-related information in the Vaadin session. If this is possible, can I configure the session persistence mechanism only for the data stored in the HTTP session? I don't need to persist the Vaadin-related data because it seems like I can easily recreate it based on the OAuth2 token from the HTTP session and the database data in the SessionInitListener.

Am I on the right track, or is it not possible?

alexanoid
  • 24,051
  • 54
  • 210
  • 410
  • What you are looking for sounds very unorthodox to me. And yes, Vaadin does not have anything like that. I understand your use case, and normally it is accomplished by setting the token lfiespan in SSO provider, not by using oddly long session timeout. – Tatu Lund May 06 '23 at 16:35
  • I'm currently using this approach, but on the HTTP/Vaadin session expiration it requires me to redirect the user from the Vaadin app to Keycloak (my SSO provider). If the SSO session is still active, the SSO server will seamlessly redirect the user back to Vaadin. I'm looking for a way to eliminate this redirect.. – alexanoid May 06 '23 at 16:37
  • And I don't have any idea on how to restore the access token without this redirect since the information is already lost with the HTTP session (where potentially the refresh token could also be stored). – alexanoid May 06 '23 at 16:59
  • And it seems that everything comes back to different timeouts for HTTP and Vaadin sessions... – alexanoid May 06 '23 at 17:23
  • Have you considered to add SessionDestroy listener and then calling SecurityContext#clear in it? – Tatu Lund May 08 '23 at 07:49
  • I'm sorry, but I don't quite understand how this can help. Could you please explain in more detail? – alexanoid May 08 '23 at 11:40
  • "I'm looking for a way to eliminate this redirect" - I mean I just want to reathenticate the user in Vaadin Session without the redirect to SSO, this is why I'm looking for something that will live longer than Vaadin Session.. – alexanoid May 08 '23 at 11:42

0 Answers0