custom login messages when session expires

**baasmp** · Oct 10th, 2008, 09:30 AM

I want my pages to be redirected when accessed after a timeout. I have specified the session time out in web.xml. I can see that sessino timeout is happening, because I see that my pages are not getting updated after the timeout. But I need to redirect my page to login page, which is not happening.
I tried setting expired-url in concurrent-session-control tag in applicatin context xml file, but it didnot work. After various other trials, I found this article and implemented a custom filter , SessionExpiryFilter as mentioned in the article.

I find that, I never get session value as null after timeout, but I am pretty sure that timeout is happening. Since I am not able to identify that timeout has happened frmo the value of session, I am not able to redirect to the login page from the filter. I tried setting the listner for HttpSessionEvent in web.xml, but still, the filter does not get the session value as null after timeout.

When I put the filter as the last one in the chain, the filter does not get invoked at all.

Is there a mechanism that Spring provides to implement page redirection on session timeout?

I have also posted another message in this forum (thread number 61091)

**rrajamiyer** · Apr 29th, 2009, 05:56 PM

I am trying to solve exactly the same problem in my Spring MVC application and I followed the suggestion provided. I have created the custom session filter class and configured the xml files. But for some reason, my session filter never gets called. Interestingly, the expired session seems to be detected by spring and automatically redirects the user to the login page. But the custome 'session expired' message is not showing up.

**sample007** · Jun 6th, 2009, 06:55 AM

is latest HttpSessioncontextIntegrationfilter supporing session timeout..?
i am debugging this class.But i couldn't find ....
So still do we need to write our own filter for checking session timeout ..?
Please reply
Thanks

**Xuejin** · Jun 11th, 2009, 06:26 PM

I have a spring application implemented with Spring Security and CAS. In web.xml file, I have difined session event listener and session timeout parameter.
~~~~~~~~~
<listener>
<listenerclass>
org.jasig.cas.client.session.SingleSignOutHttpSess ionListener
</listener-class>
</listener>

<session-config>
<session-timeout>5</session-timeout>
</session-config>
~~~~~~~~~

Now after the application session timeout, I need to single sign the user out of CAS, and if he/she wants to access secured resource, she/he needs to be reauthenticated. Is that already implemented in spring-security-cas-client? Or do I need to use something like Macob's filter?

Thanks!

-Xuejin

**tripleyew** · Oct 14th, 2009, 02:37 PM

Support for session timeout detection

Thread: custom login messages when session expires

Thread Tools

Display

Page redirection after session timeout

relogin to CAS when session expires

Looks like support has been added in Spring Security 3.0.0 M2

Posting Permissions