I am using Spring Boot and Spring Session to control an application using ReactJS as an interface. My problem is simple, and I tried several ways to deal without success.
The React section uses AJAX to call Spring REST services after logging in (I also use Spring Security), which is surprising for at least 30 minutes. After that, the session is dead, and all calls receive 302 with the account as the answer. It is EXPECTED.
But my problem is: what's the best way to increase battery life (over 30 minutes by default)?
// Gradle portion compile('org.springframework.boot:spring-boot-devtools') compile('org.springframework.boot:spring-boot-starter-jdbc') compile('org.springframework.boot:spring-boot-starter-thymeleaf') compile('org.springframework.boot:spring-boot-starter-web') compile('org.springframework.boot:spring-boot-starter-aop') compile('org.springframework.boot:spring-boot-starter-security') compile('org.springframework.security:spring-security-test:4.1.1.RELEASE') // Cache configuration - JDBC compile('org.springframework.session:spring-session:1.2.2.RELEASE') compile('org.springframework.session:spring-session-jdbc:1.2.2.RELEASE') compile('org.springframework.boot:spring-boot-starter-jdbc')
I use to add:
With this, I can see in the table SPRING_SESSION my session stored with MAX_INACTIVE_INTERVAL = 86400. Everything seems fine ... only 30 minutes. In the 31st minute, I will try to click on another page that triggers an AJAX call. I will get 302 on my login page as an answer.
I got exactly the same behavior using a different approach, installing through Java in Auth Success:
@Component public class AuthenticationSuccessHandler extends SavedRequestAwareAuthenticationSuccessHandler { @Value("${server.session.timeout}") private String defaultSessionTimeoutInSeconds; @Override public void onAuthenticationSuccess( HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws ServletException, IOException { request.getSession().setMaxInactiveInterval(Integer.parseInt(defaultSessionTimeoutInSeconds)); super.onAuthenticationSuccess(request, response, authentication); } }
Of course, I can check my numbers in the saved database, but after 30 minutes the session is deleted again.
So, what is the right way to REALLY extend the Spring session timeout longer than 30 minutes? Since MAX_INACTIVE_INTERVAL does not do what I think I should do, what is the correct approach?
I can use the latest versions of any lib.
PS: I can consider another solution for redirecting the entire browser when my AJAX calls (based on JQuery) receive / login redirects as well as fallback situations.
Thanks in advance.
UPDATE:
I tried the following:
Add properties - server.session.cookie.max-age= 777777 security.sessions=never
The behavior has not changed. Debugging I can see on JdbcOperationsSessionRepository # cleanUpExpiredSessions:
@Scheduled(cron = "0 * * * * *") public void cleanUpExpiredSessions() { long now = System.currentTimeMillis(); long maxInactiveIntervalSeconds = (this.defaultMaxInactiveInterval != null) ? this.defaultMaxInactiveInterval : MapSession.DEFAULT_MAX_INACTIVE_INTERVAL_SECONDS; final long sessionsValidFromTime = now - (maxInactiveIntervalSeconds * 1000);
this.defaultMaxInactiveInterval is still always populated with "1800", which means 30 minutes to kill all sessions.
And this is the expected behavior from the comments:
I'm still trying to change this constant default value of 1800 to something more ... :)
UPDATE 2
Studying the code carefully, in my case, when an instance of JdbcOperationsSessionRepository is created, it is created by JdbcHttpSessionConfiguration#sessionRepository
Where exactly:
@Bean public JdbcOperationsSessionRepository sessionRepository( @Qualifier("springSessionJdbcOperations") JdbcOperations jdbcOperations, PlatformTransactionManager transactionManager) { JdbcOperationsSessionRepository sessionRepository = new JdbcOperationsSessionRepository(jdbcOperations, transactionManager); String tableName = getTableName(); if (StringUtils.hasText(tableName)) { sessionRepository.setTableName(tableName); } sessionRepository .setDefaultMaxInactiveInterval(this.maxInactiveIntervalInSeconds); // Always 1800 (private Integer maxInactiveIntervalInSeconds = 1800;) if (this.lobHandler != null) { sessionRepository.setLobHandler(this.lobHandler); } if (this.springSessionConversionService != null) { sessionRepository.setConversionService(this.springSessionConversionService); } else if (this.conversionService != null) { sessionRepository.setConversionService(this.conversionService); } else if (deserializingConverterSupportsCustomClassLoader()) { GenericConversionService conversionService = createConversionServiceWithBeanClassLoader(); sessionRepository.setConversionService(conversionService); } return sessionRepository; }
I did not find a clear option to cancel this perfectly.
UPDATE 3
Following the comments, I can only configure using annotations as:
import org.springframework.session.jdbc.config.annotation.web.http.EnableJdbcHttpSession; @EnableJdbcHttpSession(tableName="MYSCHEMA.SPRING_SESSION", maxInactiveIntervalInSeconds = 86400) public class HttpSessionConfig { }
With this, I can save the session with a specific MAX_INACTIVE_INTERVAL = 86400.
But if I save the associated SPRING_SECURITY_CONTEXT (SPRING_SESSION_ATTRIBUTES) information with my new session, the entire session and attributes will be deleted after 30 minutes.
In a crazy test, I made a login, removed the SPRING_SECURITY_CONTEXT attribute of my session and the session is still there ...
The default session cleaner is correct and is NOT an intruder here.
2016-10-04 12:18:02,081 8808479 [pool-1-thread-1] INFO dstsScheduledCacheRefresher - Checking refreshable caches now. 2016-10-04 12:19:00,001 8866399 [pool-1-thread-1] DEBUG ossjJdbcOperationsSessionRepository - Cleaning up sessions older than Mon Oct 03 12:19:00 BRT 2016 2016-10-04 12:19:02,050 8868448 [pool-1-thread-1] DEBUG ossjJdbcOperationsSessionRepository - Cleaned up 0 expired sessions 2016-10-04 12:19:02,051 8868449 [pool-1-thread-1] INFO dstsScheduledCacheRefresher - Checking refreshable caches now. 2016-10-04 12:20:00,001 8926399 [pool-1-thread-1] INFO dstsScheduledCacheRefresher - Checking refreshable caches now. 2016-10-04 12:20:00,003 8926401 [pool-1-thread-1] DEBUG ossjJdbcOperationsSessionRepository - Cleaning up sessions older than Mon Oct 03 12:20:00 BRT 2016 2016-10-04 12:20:02,063 8928461 [pool-1-thread-1] DEBUG ossjJdbcOperationsSessionRepository - Cleaned up 0 expired sessions
The magazine never showed removal for them.
Thus, everything that checks for SPRING_SECURITY_CONTEXT still has a 30 minute default timeout, and it causes a whole session invalidation.
I am trying to add more breakpoints to figure this out. :)