Search code examples
spring-boottimeoutembedded-tomcat

Timeouts are not correct for servlet in spring boot

This is remote server properties:

server.servlet.session.timeout=3m

SAme for my local.properties

also we have a config like this:

 http
                .sessionManagement()
                .sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
                .invalidSessionUrl("/login?invalidSession")//dokunma
                .maximumSessions(1)//
                .maxSessionsPreventsLogin(true)//
                .expiredUrl("/login?expired")
                .sessionRegistry(sessionRegistry());

We have a class like this:

@Bean // Http Listener
public HttpSessionListener httpSessionListener() {
    return new HttpSessionListener() {
        @Override
        public void sessionCreated(HttpSessionEvent se) {

            HttpSession session = se.getSession();

            if (session != null) {
              LoggerService.logger.info("sessionCreated sessionid: {}, setMaxInactiveInterval: {}, ipaddress: {}",
                        session.getId(), session.getMaxInactiveInterval(), SecurityUtil.getIpAddress());

I did this to see internal times.

But on server, i see this log:

sessionCreated sessionid: 342E6139B2FE108D26537C9D684FBFF3, setMaxInactiveInterval: 1800, ipaddress: null

It must be 180, not 1800. Why does it multiply?

We dont have any other codes to set this. For example:

request.getSession(false).setMaxInactiveInterval(11);

We dont have this. But i will use this if i cant find any solution.

For example, for remote, i changed to this:

server.servlet.session.timeout=44s

But what i see is:

sessionCreated sessionid: 7C3573FE7B5FB6C8939DF8BF60B1B550, setMaxInactiveInterval: 1800, ipaddress: null

Tomcat9 is doing this?

On my local, i use that properties to test.

So

server.servlet.session.timeout=44s

for my local and remote server database configurations for my local.

But this time:

 sessionCreated sessionid: 747E6BF3DCD061DFF306325FE4FD76B6, getMaxInactiveInterval: 60, ipaddress: 0:0:0:0:0:0:0:1
747E6BF3DCD061DFF306325FE4FD76B6    0:0:0:0:0:0:0:1 Session Created

What am i doing wrong?

FOr last test, i added this to success handler for my local but with remote properties:

  LoggerService.logger.info("onAuthenticationSuccess sessionid: {}, getMaxInactiveInterval: {}, ipaddress: {}",
                    session.getId(), session.getMaxInactiveInterval(), SecurityUtil.getIpAddress());

            request.getSession(false).setMaxInactiveInterval(55);

            LoggerService.logger.info("onAuthenticationSuccess sessionid: {}, getMaxInactiveInterval: {}, ipaddress: {}",
                    session.getId(), session.getMaxInactiveInterval(), SecurityUtil.getIpAddress());

If i put my username password, i can see this:

   : onAuthenticationSuccess sessionid: F796EA6C54D8BCA239A36E02C4A7A030, getMaxInactiveInterval: 60, ipaddress: 0:0:0:0:0:0:0:1

  : onAuthenticationSuccess sessionid: F796EA6C54D8BCA239A36E02C4A7A030, getMaxInactiveInterval: 55, ipaddress: 0:0:0:0:0:0:0:1

I also did this:

@Bean // Http Listener
public HttpSessionListener httpSessionListener() {
    return new HttpSessionListener() {
        @Override
        public void sessionCreated(HttpSessionEvent se) {

            HttpSession session = se.getSession();

            if (session != null) {
              LoggerService.logger.info("sessionCreated sessionid: {}, setMaxInactiveInterval: {}, ipaddress: {}",
                        session.getId(), session.getMaxInactiveInterval(), SecurityUtil.getIpAddress());

                session.setMaxInactiveInterval(55);

              LoggerService.logger.info("sessionCreated sessionid: {}, setMaxInactiveInterval: {}, ipaddress: {}",
                        session.getId(), session.getMaxInactiveInterval(), SecurityUtil.getIpAddress());

It is again same:

sessionCreated sessionid: FFA7DC9A6558951F1CB790AD9D804F88, getMaxInactiveInterval: 60, ipaddress: null
sessionCreated sessionid: FFA7DC9A6558951F1CB790AD9D804F88, getMaxInactiveInterval: 55, ipaddress: null
FFA7DC9A6558951F1CB790AD9D804F88    0:0:0:0:0:0:0:1 Session Created

For remote, i tested with same code and also it worked but i dont want to set programatically

sessionCreated before sessionid: 38EC29F7C9C45B34D1FDF05B1F90DC3A, getMaxInactiveInterval: 1800, ipaddress: 192.ss

sessionCreated after sessionid: 38EC29F7C9C45B34D1FDF05B1F90DC3A, getMaxInactiveInterval: 180, ipaddress: 192.ss

So, there are two problems:

  1. Why is application-remote-properties timeout value not working for local?
  2. Why is remote timeout multiplied by 10 (properties has 3m but log shows 1800s)
Solution

  • The server.* properties are used to control the embedded container used by Spring Boot. Spring Boot will create an instance of the servlet container using one of the ServletWebServerFactory instances. These classes use the server.* properties to configure the controlled servlet container (tomcat, jetty etc).

    However when you are deploying the application as a war file to a Tomcat instance the server.* properties don't apply. They don't apply because a pre-configured servlet container is available (as it is a remotely running service). So deploying to a remote Tomcat will make the server.* properties useless.

    Regarding the session timeout being in minutes. Spring Boot will convert the session.servlet.session.timeout property to minutes, so 44s or 55s will be automatically converted to 1 minute. Setting it to something less then a minute also will not make much sense as Tomcat invalidates session with a thread running each minute.