Giters

spring-projects / spring-session

Spring Session

Home Page:https://spring.io/projects/spring-session

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

expiredSessionStrategy does not get invoked when spring session expires

seaswaraiyer opened this issue · comments

commented

Describe the bug
When user's session expires and they click on a link(to a html page) or click a button that issues an Ajax API request, I'm expecting expiredSessionStrategy to get invoked since I have it configured under sessionManagement.

To Reproduce
@bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {

    http
     .csrf(..)
     .authorizeHttpRequests(..)
     .oauth2Login(oauth2 -> { 
            oauth2
           .userInfoEndpoint(userInfo -> userInfo
                                .oidcUserService(this.oidcUserService())
                             )
           .loginPage("/login.html") 
           .failureUrl("/loginFailure")
           .successHandler(customOauth2SuccessHandler) ;
                        }
    )
    .logout(...)
    .sessionManagement((sessions) -> sessions
                                    .maximumSessions(1)
                                    .sessionRegistry(this.sessionRegistry())
                                    .expiredSessionStrategy( event -> 
                                        {
                                            String URI = event.getRequest().getRequestURI();
                                            System.out.println("URI="+URI);
                                            if (URI.endsWith(".html"))
                                                event.getResponse().sendRedirect("/login.html?msgCode=4");
                                            else
                                            {
                                                event.getResponse().setContentType("application/json");
                                                event.getResponse().sendError(440, "Session has expired. Please login again !");    
                                            }
                                        } 
                                    )
                                    //.expiredUrl("/login.html?msgCode=4")      
                    );

return http.build();

}

Expected behavior
When user's session expires and they click on a link(to a html page) or click a button that issues an Ajax API request, I'm expecting expiredSessionStrategy to get invoked since I have it configured under sessionManagement.

expiredUrl redirects to a URL and that does not work for Ajax API requests. Hence I'm trying to use expiredSessionStrategy.

Sample

A link to a GitHub repository with a minimal, reproducible sample

Note: I posted the question on stackoverflow(link shared above), but nobody from the spring session team responded. I turned debug on for all the spring session packages, but I didn't see anything in the logs related to expiredSessionStrategy. I looked at the Spring session documentation and I don't see much verbiage on expiredSessionStrategy there either.
If this is not a bug, then please let me know the reason why expiredSessionStrategy is not getting invoked. Please also let me know how to send a custom response to an Ajax API request upon session expiry since I cannot use expiredUrl.

Reports that include a sample will take priority over reports that do not.
At times, we may require a sample, so it is good to try and include a sample up front.

commented

Hi, @seaswaraiyer. The code that you shared is from Spring Security, you should search and/or create an issue on its issue tracker.

I turned debug on for all the spring session packages,

Try turning TRACE for Spring Security packages