1

I currently have an application running that uses java Spring to handle sessions. I have the following code, which handles all the sessions for me.

    @RequestMapping(value = "/login", method = GET)
    public @ResponseBody
    UserCredentials startLoginProcess(HttpSession session)
    {
        //initiate session if none exists
    }

    @RequestMapping(value = "/login", method = POST)
    @ResponseStatus(value = HttpStatus.OK)
    public void login(@RequestBody UserCredentials user, HttpSession session)
    {
            //do login stuff
    }

  @RequestMapping(value = "/logout", method = GET)
  @ResponseStatus(value = HttpStatus.OK)
  public void logout(HttpSession session)
  {
    session.invalidate();
  }

The key here is the logout which calls invalidate(). This should mark the session as invalid. However, when a call is made after invalidate using the same session, the server sends a response with a 200 OK and a new set-cookie header. I instead want an error to be thrown such as a 403 or something to state that the cookie is now invalid. What are some ways I can do this?

To be a little more specific, I would like the login GET call to handle creating new sessions if none exists, but all other calls should throw some type of error if the session is invalid. Apparently there is no isInvalid method on HttpSession.

Improve this question
6
  • do you mean to say when user calls logout action you want to verify whether session is valid or not if valid you want to proceed logout otherwise sessionExpired ? Commented Mar 25, 2014 at 3:34
  • basically, yes. Long answer, I want a sessionExpired on all endpoints except for GET /login if the session is not valid Commented Mar 25, 2014 at 3:42
  • Usually session checking can be done if(session==null) if that is null redirect to sessionExpired page. Commented Mar 25, 2014 at 3:54
  • that doesnt work because spring automatically replaces the session with a valid one before it gets to me. Commented Mar 25, 2014 at 4:01
  • When user calls logout action You assign session with null and redirect to logout page .. Commented Mar 25, 2014 at 5:35

3 Answers 3

Reset to default
2

This is what you need. When you mark it as sessionStatus.setComplete(); spring takes care of removing everything for you. 

@Controller
@RequestMapping(value = "/logout")
@SessionAttributes({"someSession"})
public class OutYouGo {
    @RequestMapping(method = RequestMethod.GET)
    public String logout(
         @ModelAttribute SomeSession someSession, 
         SessionStatus sessionStatus) {

        sessionStatus.setComplete();
        return SIGN_OFF_PAGE_LINK;
    }
}
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

this did absolutely nothing.
2

I ended up fixing the issue without any configuration by just not asking Spring to give me a session. Apparently spring gives you a valid session by default because it calls request.getSession(true) which creates one if one doesnt exist or is invalid. I therefore asked for the session directly with false.

  @RequestMapping(value = "/logout", method = GET)
  @ResponseStatus(value = HttpStatus.OK)
  public void logout(HttpServletRequest request)
  {
    HttpSession session = request.getSession(false);
    if (session != null) {
      session.invalidate();
    }
  }

then on my Login GET I still have it pass in an HttpSession, but on my login POST, I get the session the same way I did above.

Improve this answer

Comments

0

I use this for my InvalidateController:

@Controller
@RequestMapping("/invalidate")
public class InvalidateController {

@RequestMapping(method = RequestMethod.GET)
public void showIndex(HttpServletResponse response) throws IOException {
    response.setStatus(299);
    response.getWriter().write("<script> window.location.href = '/login.jsp'</script>");
}
}

and all my javascript ajax (jQuery) calls check for status 299, then redirects to the login page if the session has timed out.

From my understanding 299 still is in the range of a successful call (200-299), but is unused, so it is safe to use as you see fit.

Improve this answer

5 Comments

I dont get how this is working... to me it just appears that when someone calls GET /invalidate they will always get a status 299, how does this return an error on sessions when other calls such as POST /login are called?
You can change the status to whatever you want. The key thing to understand, (And I see I did not make clear) is that when an invalid session calls something, spring forwards the request to whatever you set the invalidate to in your config. Assuming that is working, you will get back a 200, because the redirect worked fine. Technically correct, but not what you were expecting.
Could you maybe point me to where this attribute is changed? Technically I am using spring boot so I dont have a config file. But if you show me an example config I might be able to figure it out.
I don't know about spring boot, but for regular spring, it's in the security-app-context.xml, like this: <session-management invalid-session-url="/invalidate"/> "invalidate" is then mapped to the controller above
unfortunantly, i dont understand enough about spring security or spring boot to figure out how do this with spring boot. But thanks for the help so far.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.