I am trying to get a spring security session to expire after 30 minutes from log in. I do not want the timeBeforeExperation to be reset after every interaction.
Current Configuration:
<session-config>
<session-timeout>30</session-timeout>
</session-config>
Thanks
It does not appear to be possible with standard spring security.
Related
I have an application in which I include an XForms form with Orbeon 3.9.
My form when left for about 5 minutes displays message dialog about the session being expired.
How can I extend the lifetime of form session to the time when user will close his browser?
This app will have not many users and will be idle most of the time so efficiency is not a problem.
//edit
I've just noticed that when I open multiple forms in their own tabs only last opened form has non expired session, in rest of them I see "Session has expired" dialog box.
Orbeon can handle more than one form being filled by same user in same time?
In general you can set a Java web application's session in the WAR file's web.xml with the <session-config> element. For example this sets the session timeout to 60 minutes.
<session-config>
<session-timeout>60</session-timeout>
</session-config>
You can extend the session duration accordingly.
I have tried the spring session samples and it is really interesting.
i am trying to do the following , i am trying to plug spring session in the restful service where i want to different TTL for the session id's based on the request
For example, Client Consuming my restful service may have remember me Option On/OFF.
When remember me on i want to provide TTL as 90 days where as for the remember me off i want to set the TTL to 5 mins , how do we achieve this in spring session.
Also how do we manage(limiting) concurrent session for an user , is the concurrent session can be achieved by integrating with spring security or is the same capabilities provided in spring session.
Please suggest, any help is highly appreciated
This can be done by setting the HttpSession.setMaxInactiveInterval(int timeInSeconds). For example, after authenticating the user, you could do the following:
int someTime = getExpireBasedOnMyCriteria();
httpServletRequest.getSession().setMaxInactiveInterval(someTime);
I am using the Spring Security Core plugin for my Grails application and I am facing a problem that when I leave my app idle for more than 5-10 minutes, I need to restart the application.
I thought it's a session time out problem so I added a session timeout tag inside my web.xml, but it didn't help.
What else can I try?
Just Check in your application may be you are using
request.getSession().setMaxInactiveInterval(Integer.parseInt(value)*60);
This Line overrides the feature of web.xml Session timeout.
Or
Use this line in your application when you are creating session for user (At login time).
I think the default timeout is something like every half hour.
I'd like to change this to 2 weeks. Anyone got any ideas?
Is this done usually from the STS side or the client side? Is forms authentication getting in the way too, or is that now irrelevant?
I just fixed this myself, persistentCookiesOnPassiveRedirects needs to be enabled on the RP
In your web.config you need:
<microsoft.identityModel>
<federatedAuthentication>
<wsFederation
persistentCookiesOnPassiveRedirects="true" />
<cookieHandler
persistentSessionLifetime="60.0:0:0" />
</federatedAuthentication>
</microsoft.identityModel>
The timeout for the FedAuth token may be managed in the web.config for the claims-aware application. An example with documentation may be found here. Keep in mind, though, that there is the STS-side of the coin and that the timeout may need to be increased there as well to prevent the user from having to sign-in again when moving from one application to another after an extended period.
If the cookie is timing out you can also look at using sliding sessions in your WIF application.
This means that the cookie will continue to be re-established while the user is "using" the application.
http://www.cloudidentity.com/blog/2013/05/08/sliding-sessions-for-wif-4-5/
The description about persistentSessionLifetime in MSDN is not true. For example, if you set it to 1.6:13:45.0, the cookie will expire after 30 hours (1 day + 6 hours) 13 minutes and 45 seconds +/- the maximumClockSkew from <identityConfiguration>. So the description from MSDN should be like the one from TimeSpan: [-]d.hh:mm:ss.ff. I hope Microsoft changes the wrong description.
I have a problem with my j2ee application using spring security. I set max-sessions in concurrent-session-control to 1. Now it works fine when I try to Login the second time it will stop me. But when I logout the other one and try to login again I still get this same message.
Your login attempt was not successful, try again.
Reason: Maximum sessions of 1 for this principal exceeded
I have this in my http security
<security:logout logout-url="/logout.do"
invalidate-session="true" logout-success-url="/logoutSuccess.do" />
<security:concurrent-session-control
max-sessions="1" exception-if-maximum-exceeded="true" expired-url="/loginform.do" />
It's been quite a while since you posted this, but if anyone else is having this problem I believe this behavior will occur if you don't add org.springframework.security.web.session.HttpSessionEventPublisher as a listener in your web.xml.
See here:
Adding the listener to web.xml causes an ApplicationEvent to be published to the Spring ApplicationContext every time a HttpSession commences or terminates. This is critical, as it allows the SessionRegistryImpl to be notified when a session ends. Without it, a user will never be able to log back in again once they have exceeded their session allowance, even if they log out of another session or it times out.
please check that the error page is not cached (press F5) and look in the logs to see if the logout is working fine.
Make sure your Spring Security Filters run before your Struts Filter.
Set a break point at Spring Security's LogoutFilter.doFilterHttp method. Make sure that part runs properly.