Details

    • Type: New Feature New Feature
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 3.0.0 M2
    • Component/s: Core
    • Labels:
      None

      Description

      Consider the following use-case:

      • A user has been inactive for 10 minutes
      • His session has been timed out.
      • On the next click the user will go back to the login page

      If I want to show a message that shows to the user that his session has been timed out, I need to handle that manually, using an HttpSessionListener (from the javax.servlet API). It would be nice to have a built-in feature for that in Spring Security.

      As a suggestion, Spring Security could add a boolean request attribute called "sessionTimedOut".
      Then it will be easy to display a message in the login page in case this boolean is set to true.

        Activity

        Hide
        Luke Taylor added a comment - - edited

        This would actually use the HttpServletRequest.getRequestedSessionId() and HttpServletRequest.isRequestedSessionIdValid() methods rather than an an HttpSessionListener.

        It would be preferable to supply a session-timeout-url attribute in the namespace, as this would allow you to either use the login page URL or another page as desired (many apps display a separate message to warn of a session timeout).

        Show
        Luke Taylor added a comment - - edited This would actually use the HttpServletRequest.getRequestedSessionId() and HttpServletRequest.isRequestedSessionIdValid() methods rather than an an HttpSessionListener. It would be preferable to supply a session-timeout-url attribute in the namespace, as this would allow you to either use the login page URL or another page as desired (many apps display a separate message to warn of a session timeout).
        Hide
        Luke Taylor added a comment -

        Support is now included via the SessionManagementFilter's invalidSessionUrl property. The filter will redirect to this URL if an invalid session ID is supplied. The corresponding namespace attribute is the invalid-session-url attribute on the <http> element.

        Show
        Luke Taylor added a comment - Support is now included via the SessionManagementFilter's invalidSessionUrl property. The filter will redirect to this URL if an invalid session ID is supplied. The corresponding namespace attribute is the invalid-session-url attribute on the <http> element.

          People

          • Assignee:
            Luke Taylor
            Reporter:
            Michael Isvy
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: