How to set an infinite session time out with Spring Security - java

I have a request from a client to stop sessions timing out (yes, I know this is a bad idea). The webapp is developed using Spring Security and will be hosted on Heroku. I know I can set a finite session timeout with:
<session-config>
<session-timeout>15</session-timeout>
</session-config>
I'm hoping there's a parameter I can put here (-1 perhaps?) that will prevent the session timing out.

You can use -1 and the session will not expire.
<session-timeout>-1</session-timeout>

Session invalidate because there is no communication between client-side and server side so server don't know about the users state.
Here you need infinite session timeout so Use -1 in <session-timeout> tag because -1 is for session never expires
<session-config>
<session-timeout>-1</session-timeout>
</session-config>

From Java side
request.getSession().setMaxInactiveInterval(-1);

Related

set session cookie secure and httpOnly for LFR_SESSION_STATE_%

Environment :
Liferay 6.2 with Jboss
We are trying to implement httponly and secure.
For this we have dome some changes like below
Added in Portal-ext.properties :
cookie.http.only.names.excludes=
and
Added following properties in ROOT.war/WEB-INF/web.xml
<session-config>
<cookie-config>
<http-only>true</http-only>
<secure>true</secure>
</cookie-config>
</session-config>
I can see all the session cookies are httponly except the one which are starting with LFR_SESSION_STATE_
Can anyone suggest how we can handle this.
LFR_SESSION_STATE_ are cookies that explicitly get handled on client-side and not on server side - thus they're inherently only accessed through JS. As far as I know they're never even persisted on server side. And I don't expect any real leakage from these cookies. In my perception the cookies are about determining state of the quality "should this help item be shown with full text or just collapsed".

Spring Security - Session Timeout without extending/renewing

Is there a way in Spring Security to set sessions to expire after a time, regardless of activity?
i.e. when someone logs in, they have exactly 30 minutes to work and then the session is dead, regardless of whether they have been navigating, making REST calls, etc.
I don't think so. But you can use Quartz scheduler for job scheduling and execute a job when you need, for example 30 minutes after the user logged in.
Adding the below lines in your web.xml should work out ideally.
<session-config>
<session-timeout>30</session-timeout>
</session-config>

Enforce javax.faces.application.ViewExpiredException for testing application

I would like to test my webapplication (JSF 2.2) which has a custom Esxception Handler Factory.
Now i would like to know if everything works as expected when a javax.faces.application.ViewExpiredException is thrown. Is there any way, I can decrease the time to wait for getting this exception?
Throwing it programmatically is not an option, as I would like to have a nearly 100% productive test scenario.
As far as I'm concerned, it should be enough to force a Session expiration while you keep the JSF view state in the server side:
Setting STATE_SAVING_METHOD to client has however an additional functional advantage: it prevents ViewExpiredExceptions when the session has expired or when the client opens too many views.
So, being the javax.faces.STATE_SAVING_METHOD defaulted to server, you only need to specify the timeout you want for the Http Session:
<session-config>
<session-timeout>2</session-timeout>
</session-config>
As an alternative, you could choose to set your own limit of views. That depends on the concrete JSF implementation, Mojarra defaults to 16 and MyFaces to 20. For the first one, you could use com.sun.faces.numberOfLogicalViews to decrease the amount of views accepted simultaneously per client. As an example, setting it to 3 should fire the exception when you've got four tabs opened in the same browser (same Http Session).
See also:
What is STATE_SAVING_METHOD parameter in JSF 2.0
Session TimeOut in web.xml
How can I set the view timeout?
In Google Chrome you can use the Developer Tools to delete the session cookie.
Web.xml
you should have something like:
<session-config>
<session-timeout>
30
</session-timeout>
</session-config>
Where the timeout is in minutes, so set to 1

session timeout automatic

I understand that the session timeout is for finding out an idle app and ending that particular session.
I have commented the session-timeout tag in the web.xml. Also I have not set any session timeout in my application anywhere else like maxInactiveInterval().
But my session is expiring nearly after 2 or 3 hours. Is there any automatic session timeout in Tomcat?
I have observed the above phenomenon in both Tomcat 5 & 7. Please help... I don't want a timeout happening for some purpose here.
If you don't want a timeout happening for some purpose:
<session-config>
<session-timeout>0</session-timeout>
</session-config>
should result in no timeout at all -> infinite
yes.In tomcat web.xml file see this code:
<session-config>
<session-timeout>30</session-timeout>
</session-config>
By default it set to 30 minutes. if you dont want session expiry simply put as 0 instead of 30.
session statics in tomcat.

Java EE / Struts persistent sessions

I'm doing my first Java EE web application and I'm struggling with sessions.
in my web.xml file I put the following settings:
<session-config>
<session-timeout>30</session-timeout>
</session-config>
But if I close my browser which is not configured to delete cookies on close,
after reopen the session is over.
How can I have a "persistent" session ?
check if a cookie named Jsessionid is getting created during your first request. And close your browser open it again and check if that cookie is still there and value is same.
I think it will not be, and that is the reason your session expires.
When a cookie's expiration is set to "session", it will get deleted by the browser when the user closes the browser. This has nothinng to do with the web.xml session-timeout setting, which will force-close the Java EE session server-side if there are no requests by the user in the designated timespan.
Spring has "remember me" functionality:
http://static.springsource.org/spring-security/site/docs/3.0.x/reference/remember-me.html

Categories