6

I want to perform a custom event when a user is logged out from a session timeout. The user is successfully logged out after exactly the length of time specified by my application.properties:

server.servlet.session.timeout=10
server.servlet.session.cookie.max-age=10

I have found a few similar solutions which involve a SessionDestroyedEvent, for example:

@Slf4j
@Component
public class SessionExpiredListener implements ApplicationListener<SessionDestroyedEvent> {

    @Override
    public void onApplicationEvent(SessionDestroyedEvent event) {
        for (SecurityContext securityContext : event.getSecurityContexts()) {
            Authentication authentication = securityContext.getAuthentication();
            UserPrincipal user = (UserPrincipal) authentication.getPrincipal(); // UserPrincipal is my custom Principal class
            log.debug("Session expired!" + user.getUsername());
            // do custom event handling
        }
    }
}

The problem is the SessionDestroyedEvent is not triggered at the same time as the session timeout, in my tests it has triggered up to 5 minutes after the session has expired.

I have also tried using sessionDestroyed in HttpSessionListener but with similar results.

Is there an event that will trigger exactly when the session expires, or is there some way to achieve this?

Improve this question

2 Answers 2

Reset to default
2

The sessionDestroyed() method is called when the web container expires the session. In Tomcat, session expirations happens every minute, and I think it is the case with other servlet containers. So, even after the session times out there could be a delay until the next detection of expirations.

Session management is done by servlet container, and your application is getting notification from it. And there is no way to be notified at the exact time of session expiration.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Thanks for a prompt reply. So essentially there is no way. It's a shame, I have a list of logged in users that I want to update as a session times out, I might be able to achieve the same thing using a SessionRegistry and let it be handled internally by Spring. Good to know that I shouldn't keep wasting my time looking for a solution that doesn't exist!
1

I also had handle the event when the user is logged out by session timeout. For me, this solution was helpfull: https://stackoverflow.com/a/18128496/4074871

Additionally I had to register the HttpSessionEventPublisher as mentioned in https://stackoverflow.com/a/24957247/4074871 because I had no web.xml for listener registration.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.