How to increase session duration in Spring Security?

A

andrew_d2017-08-16 16:29:21

Spring

andrew_d, 2017-08-16 16:29:21

Good afternoon!
I am creating a small web service for my spring-boot application.
I have a problem with the duration of the session of authorized users.
Installed in properties
server.session.timeout=2678400
But it does not help. After 30 minutes of inactivity, the user gets a 403 and needs to log in again.
Tried to implement remember-me.
My config

http
                .csrf().disable()
                .rememberMe()
                    .tokenRepository(persistenceTokenRepository)
                    .rememberMeCookieName("time_manager_remember_me")
                    .tokenValiditySeconds(60 * 60 * 24 * 3)
                    .alwaysRemember(true)
                    .useSecureCookie(true)
                    .and()
                .authorizeRequests()
                    .antMatchers("/", "/home").permitAll()
                    .antMatchers("/static/").hasRole("USER")
                    .antMatchers("/service/users").hasRole("ADMIN")
                    .antMatchers("/api/**").hasRole("USER")
                    .antMatchers("/public/**").permitAll()
                    .antMatchers("/login").permitAll()
                    .anyRequest().authenticated()
                    .and()
                .logout()
                    .permitAll();

But it doesn't work. Sessions are created.
The user receives two cookies "JSESSIONID" and "remember-me".
The "persistent_logins" table gets populated, but the session is not extended. The user logs out after half an hour, as before.
Authorize users in this way:

@RequestMapping(value = "/login", method = RequestMethod.POST)
  public ResponseEntity<?> loginUser(@RequestParam("email") String userName,
                                        @RequestParam("password") String password,
                                       HttpServletRequest request,
                                       HttpServletResponse servletResponse){

      User user = usersService.loadUserByUsername(userName);
      if (user != null){
          if (new BCryptPasswordEncoder().matches(password, user.getPassword())){
                Authentication auth = new UsernamePasswordAuthenticationToken(user, null, user.getAuthorities());
                SecurityContextHolder.getContext().setAuthentication(auth);
                persistentTokenBasedRememberMeServices.loginSuccess(request, servletResponse, auth);
                return new ResponseEntity<>(user, HttpStatus.OK);
            }
        }
        return new ResponseEntity<>(HttpStatus.FORBIDDEN);
    }

Tell me what I'm doing wrong, otherwise it's not very good to force people to log in every half hour in the application.

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

A

Alexander Kosarev, 2017-08-17
@jaxtr

If you are deploying an application in a servlet container, then you need to additionally specify the session lifetime in web.xml:

<session-config>
        <session-timeout>60</session-timeout>
</session-config>

Example for 60 minutes, if you need an endless session, then -1