52

How can I configure my (embedded) Tomcat Session Timeout in a Spring Boot Application?

public class SessionListener implements HttpSessionListener{

@Override
public void sessionCreated(HttpSessionEvent se) {
    se.getSession().setMaxInactiveInterval(5*60);
}

@Override
public void sessionDestroyed(HttpSessionEvent se) {

}}

I have a SessionListener but I have no idea in which class I have to add this Listener to the Context.

Improve this question
1
  • 1
    Also useful to know that, according to this article, the setting can't be updated in code and must be done through the properties file as the answers indidcate: baeldung.com/servlet-session-timeout. From that article: "there is no way to programmatically set the global session timeout" Commented Jun 14, 2021 at 14:21

4 Answers 4

Reset to default
94

server.session.timeout in the application.properties file is now deprecated. The correct setting is:

server.servlet.session.timeout=60s

Also note that Tomcat will not allow you to set the timeout any less than 60 seconds. For details about that minimum setting see https://github.com/spring-projects/spring-boot/issues/7383.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

Note: in the embeded Tomcat server it is in minutes, so if you set a value smaller that 1 minute, it will have to wait 1 minute for the session to expire.
I'm using session timeout lower than 60 seconds successfully with a spring boot 2.2.6 and embedded tomcat 9!
@Daryl server.servlet.session.timeout=60s is not working when I deploy my spring boot(2.2.4) spring security(5.2.1) web application into stand alone tomcat(9).I tried with minute also
@GhasemSadeghi Are you sure that your sub-60-second timeout actually times out in less than 60 seconds? I tried it today, just for experimentation, with 20s, and the timeout interval seemed to last 1 minute. I think we have embedded Tomcat 9 too. From what I read in the docs, Spring will allow you to set that setting to anything, even with Tomcat, but in the case of Tomcat, it will just round down to the nearest minute, or round up if you are below 1 minute.
53
  • Spring Boot version 1.0: server.session.timeout=1200
  • Spring Boot version 2.0: server.servlet.session.timeout=10m
    NOTE: If a duration suffix is not specified, seconds will be used.
Improve this answer

Comments

46

You should be able to set the server.session.timeout in your application.properties file.

ref: http://docs.spring.io/spring-boot/docs/1.4.x/reference/html/common-application-properties.html

EDIT:

This property has changed in later versions of Spring Boot to server.servlet.session.timeout.

ref: https://docs.spring.io/spring-boot/docs/2.4.x/reference/html/appendix-application-properties.html#server.servlet.session.timeout

Improve this answer

3 Comments

server.session.timeout= # Session timeout in seconds.
In your application.properties #session timeout (in secs for spring, in minutes for tomcat server/container) server.session.timeout=1 I tested it and is working! It turns out that tomcat take the property in minutes
This only works with the Embedded Tomcat of Spring Boot. When using war-Deployment, you have to add the SessionListener from the original question to the project by adding a @Configuration annotation on top of it. I would then suggest to use the standard property again by binding it with @Value("${server.servlet.session.timeout}") Duration timeout to the SessionListener and using that value with se.getSession().setMaxInactiveInterval(timeout.toSeconds()).
0

What nasezoll suggested worked perfectly. Here's a summary of what I did:

  1. Created a SessionListener:
    I implemented a SessionListener class in Groovy that uses the @Value("${server.servlet.session.timeout}") annotation to read the session timeout value from application.yaml. The session timeout is applied by calling setMaxInactiveInterval with the timeout value in seconds.

    @Configuration
class SessionListener implements HttpSessionListener {
    @Value('${server.servlet.session.timeout}')
    Duration timeout

    @Override
    void sessionCreated(HttpSessionEvent se) {
        se.session.setMaxInactiveInterval(timeout.toSeconds().intValue())
    }

    @Override
    void sessionDestroyed(HttpSessionEvent se) {
        // No action needed
    }
}

  2. Registered the Listener in resources.groovy:
    I added the SessionListener as a Spring bean in resources.groovy to ensure it is picked up by the application.

    beans = {
    sessionListener(SessionListener)
}

  3. Configured Timeout in application.yaml:
    I set the session timeout in application.yaml using the following configuration:

    server:
    port: 8090
    servlet:
        session:
            timeout: 5m # 5 minutes

This approach works perfectly in Grails 5.1.1 and ensures the session timeout is applied correctly.

Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.