"Invalid session url" issue while accessing apps through several tabs in browsers

[Sparemejava]

Hello All,

briefly,
Recently in one of our projects, we added "<session-management invalid-session-url="/logout" />" to Spring security under <http> element and since then we started seeing a behavior, only when using multiple tabs on browsers.

When we start our application, on a browser tab in either FireFox or Internet Explorer, and we close the tab later and restart the application again in another tab, instead of the desired page, the spring is throwing us to /logout which I believe is due to the "invalid-session-url" added to spring security. But when we clear the history and cache and start over, it is working fine. Or if we start on a fresh browser (not tab) every time we do this, still it is working fine. Only when we start the application on a new tab, it is failing. So may be when the tab is closed, it is not closing the session, and we really do not need a session for our application to start with. May be this is more of a browser behavior , but does spring offer any tweaks to handle this situation. or may be I have completely misunderstood about "invalid-session-url". Either way, could some one guide me here ?

Thanks

[Sparemejava]

Any advice please.

[arthomps]

The behaviour you describe is what I would expect to occur when starting a new session except for:

we close the tab later and restart the application again in another tab, instead of the desired page, the spring is throwing us to /logout which I believe is due to the "invalid-session-url" added to spring security.

I don't believe closing a tab closes the session for most browsers (although it should imo). I would look at the browser settings in this instance.

If the behaviour is not as is desired, maybe look at using a persistent cookie (remember-me) to recreate the session.

-Andy

[Sparemejava]

Thank you for the response Andy.

We are already using the persistent cookie in our code. But, how to have <session-invalidate> react to persistent cookie, instead of browser cookie. That is what I'm thinking about. I agree that closing the tab, necessarily do not clear up the sessions in some browsers, and we do not want to change browser settings as this need to be communicated across to all customers. But is there any other way, we can achieve this desired behavior with in spring security.

[arthomps]

http://static.springsource.org/sprin...member-me.html allows the authentication to be restored after the session expires.

[Sparemejava]

May be I misunderstood the whole thing from the beginning.

Let me put this much simpler and straight forward.

How can I let Spring route to a desired page, if a session times out. I'm thinking that invalid-session-url may not be an appropriate solution for my timeouts.

Is there any such listener in Spring that can be registered (similar to SessionContextListener) and just supply a default url to be routed, if there is a time out.

[zhikim528]

The behaviour you describe is what I would expect to occur when starting a new session except for:



I don't believe closing a tab closes the session for most browsers (although it shouldR4i Gold imo). I would look at the browser settings in this instance.

If the behaviour is not as is desired, maybe look at using a persistent cookie (remember-me) to recreate the session.

I agree with you !

[arthomps]

May be I misunderstood the whole thing from the beginning.

Let me put this much simpler and straight forward.

How can I let Spring route to a desired page, if a session times out. I'm thinking that invalid-session-url may not be an appropriate solution for my timeouts.

Is there any such listener in Spring that can be registered (similar to SessionContextListener) and just supply a default url to be routed, if there is a time out.

http://static.springsource.org/sprin...id-session-url . I suspect this should go to a url that isn't /logout. Haven't used it personally though.