Michael Isvy (Migrated from SEC-1142) said:
Consider the following use-case:
If I want to show a message that shows to the user that his session has been timed out, I need to handle that manually, using an HttpSessionListener (from the javax.servlet API). It would be nice to have a built-in feature for that in Spring Security.
As a suggestion, Spring Security could add a boolean request attribute called "sessionTimedOut".
Then it will be easy to display a message in the login page in case this boolean is set to true.
Luke Taylor said:
This would actually use the HttpServletRequest.getRequestedSessionId() and HttpServletRequest.isRequestedSessionIdValid() methods rather than an an HttpSessionListener.
It would be preferable to supply a session-timeout-url attribute in the namespace, as this would allow you to either use the login page URL or another page as desired (many apps display a separate message to warn of a session timeout).
Support is now included via the SessionManagementFilter's invalidSessionUrl property. The filter will redirect to this URL if an invalid session ID is supplied. The corresponding namespace attribute is the invalid-session-url attribute on the element.