即使用户正在使用系统，N 分钟后的绝对会话过期 [英] Absolute session expiration after N minutes even if user is using the system

问题描述

我正在开发具有 Spring 安全性的 grails Web 应用程序.即使会话处于活动状态，我也需要在一组固定的时间后强制会话过期.

I’m working on a grails web application with spring security. I have a requirement for forcing a session expiration after a fixed set of time even if the session is active.

我想我可以添加过滤器并检查每个请求的上次登录时间:

I think I can add filter and check for each request's last login time:

if (CURRENT_TIME - LAST_LOGIN > ABSOLUTE_SESSIO EXPIRATION) then FORCE LOGOUT

但问题是，在用户发出请求之前，会话在服务器上仍然处于活动状态.

But the problem is that the session is still active on the server until the user makes request.

即使用户正在使用系统，这是否可以在 N 分钟后立即销毁会话?一直在研究tomcat session管理和spring security是怎么处理的，没找到有用的资料.

Is this possible to destroy session immediately after N minutes even if user is using the system? I was researching tomcat session management and how spring security handles it, but didn’t find any useful information.

有人能给我举个例子吗?有没有人实现过类似的东西?

Could anybody point me at some example? Has anybody implemented something similar?

推荐答案

这就是我要做的，但它不会在您想要的特定时间终止会话.它依赖于发出请求的用户.这不是万无一失，但您可以让应用程序每分钟左右通过 AJAX 调用轮询站点.

This is how I would do it, but it doesn't kill the session at the specific time you want. It relies on the user making a request. It's not fool proof, but you could make the application poll the site every minute or so via an AJAX call perhaps.

在用户会话上设置会话激活时间.然后向 Web 应用程序添加一个过滤器，用于检查(激活周期 + 允许时间)是否超过当前时间的所有传入请求.如果没有，则调用 session.invalidate();

Set a session activation time on the users session. Then add a filter to the web application for all incoming requests that checks the (activation period + the allowed time) exceeds the current time. If it does not, then call session.invalidate();

即登录时

HttpSession session = request.getSession();
session.setAttribute( "activation-time", System.currentTimeMillis() );

然后在 web.xml 中添加过滤器

Then add a filter to web.xml

<filter>
    <filter-name>SessionFilter</filter-name>
    <filter-class>com.something.SessionFilter</filter-class>
    <init-param>
        <param-name>max-period</param-name>
        <param-value>60000</param-value>
    </init-param>
</filter>
<filter-mapping>
    <filter-name>SessionFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

过滤器类似于...

package com.something;

import java.io.IOException;
import java.util.Date;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;

public class SessionFilter implements Filter {
    private long maxPeriod;

    public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
        HttpServletRequest request = (HttpServletRequest) req;
        HttpSession session = request.getSession( false );
        if ( session != null ) {
            long activated = (long) session.getAttribute( "activation-time" );
            if ( System.currentTimeMillis() > ( activated + maxPeriod ) ) {
                 session.invalidate();
            }
        }
        chain.doFilter(req, res);
    }

    public void init(FilterConfig config) throws ServletException {
        //Get init parameter
        if ( config.getInitParameter("max-period") == null ) {
             throw new IllegalStateException( "max-period must be provided" );
        }
        maxPeriod = new Long( config.getInitParameter("max-period") );
    }

    public void destroy() {
        //add code to release any resource
    }
}

如果您需要在会话失效时调用某些内容，那么您可以编写一个 HttpSessionListener 并在 web.xml 中进行配置.

If you need to invoke something when the session is invalidated then you can write a HttpSessionListener and configure in web.xml also.

这篇关于即使用户正在使用系统，N 分钟后的绝对会话过期的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！