Spring Security: invalid-session-url versus logout-success-url

3
votes

I am using Spring-Security 3.1. Before I added invalid-session-url attribute of session management, it was correctly redirecting to logout page. However, after adding invalid-session-url it is redirecting to session expire page even I click on logout button. Also, after session-timeout period if I load login page it redirects to session expired page.

I have to check for session-expiry and redirect user to session expired page if session is expired. However, after usage of invalid-session-url tag it redirects me to session expire page even for login and logout scenario.

In some of the posts it is advised not to use invalid-session-url. However, I am unable to understand that then how would I be able to show session expire page after actual session expire.

Any help will be appreciated.

3
spring-security

3 Answers

3
votes

By default, the logout process will first invalidate the session, hence triggering the session management to redirect to the timeout page. By specifying invalidate-session="false" will fix this behavior.

    <sec:logout logout-success-url="/logout" invalidate-session="false" 
delete-cookies="JSESSIONID" />
2
votes

The session expiry is limited to detecting an invalid session cookie in a submitted request. If your logout doesn't remove the session cookie, then it will be resubmitted if you access the site again, which will trigger the invalid session URL. This is explained in the reference manual. I would read that and the accompanying footnote. As described there, you need to remove the session cookie, which may or may not work depending on your container.

2
votes

Try with adding following in your security configuration.

<http>
    <logout delete-cookies="JSESSIONID" />
</http>