Is there a way in Spring Security to set sessions to expire after a time, regardless of activity?
i.e. when someone logs in, they have exactly 30 minutes to work and then the session is dead, regardless of whether they have been navigating, making REST calls, etc.
I don't think so. But you can use Quartz scheduler for job scheduling and execute a job when you need, for example 30 minutes after the user logged in.
Adding the below lines in your web.xml should work out ideally.
<session-config>
<session-timeout>30</session-timeout>
</session-config>
Related
I have a J2EE application which uses JSF and Spring 3.x. My web app is developed in *.xhtml, and I have used JSF ManagedBeans.
I want to redirect to login page when the session has elapsed the timeoout. I am bit new and need to know the following.
How to set the session timeout time(Basically I want to set a maximum time where the application would be idle and redirect to the login page with an invalid session)
What is the meta tag which I need to place in my *.xhtml which will direct to the login page?
Hope the requirement is clear. Just stating the requirements of my problem again
System should not invalid the session as far as the user is interacting with the system.
It Should only invalid the session and redirect to the login page when the system has been idle for a given time.
Tech Stack
JSF with ManagedBeans(Have used face-config.xml etc..)
Spring for the service layer
Hibernate for the DAO layer and in defining the entities.
If by "idle" you mean not sending any request to the server then you have to set the session-timeout in your web.xml file. It should look like this for a 30 minutes timeout :
<session-config>
<session-timeout>30</session-timeout>
</session-config>
To handle the redirection to login when the session timeout have a look at this answer.
I have a request from a client to stop sessions timing out (yes, I know this is a bad idea). The webapp is developed using Spring Security and will be hosted on Heroku. I know I can set a finite session timeout with:
<session-config>
<session-timeout>15</session-timeout>
</session-config>
I'm hoping there's a parameter I can put here (-1 perhaps?) that will prevent the session timing out.
You can use -1 and the session will not expire.
<session-timeout>-1</session-timeout>
Session invalidate because there is no communication between client-side and server side so server don't know about the users state.
Here you need infinite session timeout so Use -1 in <session-timeout> tag because -1 is for session never expires
<session-config>
<session-timeout>-1</session-timeout>
</session-config>
From Java side
request.getSession().setMaxInactiveInterval(-1);
I would like to test my webapplication (JSF 2.2) which has a custom Esxception Handler Factory.
Now i would like to know if everything works as expected when a javax.faces.application.ViewExpiredException is thrown. Is there any way, I can decrease the time to wait for getting this exception?
Throwing it programmatically is not an option, as I would like to have a nearly 100% productive test scenario.
As far as I'm concerned, it should be enough to force a Session expiration while you keep the JSF view state in the server side:
Setting STATE_SAVING_METHOD to client has however an additional functional advantage: it prevents ViewExpiredExceptions when the session has expired or when the client opens too many views.
So, being the javax.faces.STATE_SAVING_METHOD defaulted to server, you only need to specify the timeout you want for the Http Session:
<session-config>
<session-timeout>2</session-timeout>
</session-config>
As an alternative, you could choose to set your own limit of views. That depends on the concrete JSF implementation, Mojarra defaults to 16 and MyFaces to 20. For the first one, you could use com.sun.faces.numberOfLogicalViews to decrease the amount of views accepted simultaneously per client. As an example, setting it to 3 should fire the exception when you've got four tabs opened in the same browser (same Http Session).
See also:
What is STATE_SAVING_METHOD parameter in JSF 2.0
Session TimeOut in web.xml
How can I set the view timeout?
In Google Chrome you can use the Developer Tools to delete the session cookie.
Web.xml
you should have something like:
<session-config>
<session-timeout>
30
</session-timeout>
</session-config>
Where the timeout is in minutes, so set to 1
I understand that the session timeout is for finding out an idle app and ending that particular session.
I have commented the session-timeout tag in the web.xml. Also I have not set any session timeout in my application anywhere else like maxInactiveInterval().
But my session is expiring nearly after 2 or 3 hours. Is there any automatic session timeout in Tomcat?
I have observed the above phenomenon in both Tomcat 5 & 7. Please help... I don't want a timeout happening for some purpose here.
If you don't want a timeout happening for some purpose:
<session-config>
<session-timeout>0</session-timeout>
</session-config>
should result in no timeout at all -> infinite
yes.In tomcat web.xml file see this code:
<session-config>
<session-timeout>30</session-timeout>
</session-config>
By default it set to 30 minutes. if you dont want session expiry simply put as 0 instead of 30.
session statics in tomcat.
I need to change the session time for my web Application.
The web application is created using Struts 2.0 and is deployed on Tomcat Web Server.
I tried it by changing the timeout in web.xml of server like below.
<session-config>
<session-timeout>1</session-timeout>
</session-config>
And also i tried it by puting above code in web.xml of Web Application.
But both of above solutions did not work.
Still, Web Applicaiton session is maintained for 30 minutes. Please suggest how can i change the session timout value.
Thanks
Jyoti
It should work. Put it in webapps/yourapp/WEB-INF/web.xml. Remove it from the server's web.xml. And make sure everything is freshly redeployed.
Also make sure you are not interacting with the session (including ajax) for that amount of time.