issue for tracking online active users

[xhe]

Based on the introduciton from book of "Spring Security 3", we can use SessionRegistry to retrieve all the active online users by this simple line:
sessionRegistry.getAllPrincipals().size()
The issue is if user use login/logout, this method will give accurate number, but mostly, people just leave the page without logout, in this case, sessionRegistry will always have those users in memory.
Are there anyway to detect the activity for those inactive users and give accurate number for online active users?

[Rob Winch]

Do you have the HttpSessionEventPublisher specified in your web.xml as specified in the Session Management portion of the reference?

[xhe]

yes for sure, I put
<listener>
<listener-class>
org.springframework.security.web.session.HttpSessi onEventPublisher
</listener-class>
</listener>
in the web.xml

The thing is if user just close the browser, I can not see any way to notify the back end server for session destroy. and the session will be there forever.

Have you ever tried that and see if live online user can be calculated accurately?

[Rob Winch]

In this scenario, after a specified amount of time the session will expire based upon time. As soon as the session expires, the session information is removed from Spring Security. Then configuration for the expiration time is typically done in the web.xml Note the accuracy of the container can vary a bit (i.e. it may not be exact amount of time till it expires).

[xhe]

That's what I guess. Can you point me how to set the duration for session expiration?

[Rob Winch]

This isn't anything Spring Security specific and your favorite search engine should be able to help by searching for web.xml session timeout.