SEC-1142: Support for session timeout detection #1390

spring-issuemaster opened this Issue Apr 23, 2009 · 2 comments

1 participant


Michael Isvy (Migrated from SEC-1142) said:

Consider the following use-case:

  • A user has been inactive for 10 minutes
  • His session has been timed out.
  • On the next click the user will go back to the login page

If I want to show a message that shows to the user that his session has been timed out, I need to handle that manually, using an HttpSessionListener (from the javax.servlet API). It would be nice to have a built-in feature for that in Spring Security.

As a suggestion, Spring Security could add a boolean request attribute called "sessionTimedOut".
Then it will be easy to display a message in the login page in case this boolean is set to true.


Luke Taylor said:

This would actually use the HttpServletRequest.getRequestedSessionId() and HttpServletRequest.isRequestedSessionIdValid() methods rather than an an HttpSessionListener.

It would be preferable to supply a session-timeout-url attribute in the namespace, as this would allow you to either use the login page URL or another page as desired (many apps display a separate message to warn of a session timeout).


Luke Taylor said:

Support is now included via the SessionManagementFilter's invalidSessionUrl property. The filter will redirect to this URL if an invalid session ID is supplied. The corresponding namespace attribute is the invalid-session-url attribute on the element.

@spring-issuemaster spring-issuemaster added this to the 3.0.0 M2 milestone Feb 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment