Spring Security: invalid-session-url vs logout-success-url

Question

Spring Security: invalid-session-url vs logout-success-url

I am using Spring-Security 3.1. Before I added the session-invalid invalid-session-url attribute, it was correctly redirected to the exit page. However, by adding the wrong-session-url, it redirects to the session expiration page even by pressing the exit button. Also, after a session timeout period, if I load the login page, it is redirected to the expired session page.

I need to check the expiration of the session and redirect the user to the expired page if the session has expired. However, after using the invalid-session-url tag, it redirects me to the session end page even for a login and logout script.

Some messages recommend that you do not use the invalid-session-url. However, I cannot understand that then, how can I show the session expiration page after the expiration of the actual session.

Any help would be appreciated.

+3

spring security

Bipul sinha May 7, '12 at 15:15

source share

3 answers

Christopher yang · Answer 1 · 2013-01-03T00:39:29+0000

By default, the logout process will first invalidate the session, so starting session management will redirect to the timeout page. By setting invalidate-session = "false", this behavior will be fixed.

    <sec:logout logout-success-url="/logout" invalidate-session="false" 
delete-cookies="JSESSIONID" />

Shaun the Sheep · Answer 2 · 2012-05-08T07:36:15+0000

cookie . cookie , , , URL- . . . , cookie , .

os shi · Answer 3 · 2012-06-26T15:55:12+0000

.

<http>
    <logout delete-cookies="JSESSIONID" />
</http>

Spring Security: invalid-session-url vs logout-success-url

More articles: