Whenever I run my web application and I go to the default page, I get a ROLE_ANONYMOUS
user inside my authorities which is expected. However, when I go idle, the session times out which causes my invalid-session-url
to be triggered. Is there anyway to exclude unauthenticated users from the session timeout?
EDIT: The easiest way I found is by setting an InvalidSessionStrategy
. Problem is, I don't know how to. I don't really need to create my own implementation of SessionManagementFilter
. What I want is control of how the application will handle invalid-session-url
. Can anyone help me out?
Having a session is a good practice even for un-authenticated users. Implement your invalid-session-url in a way that it checks for authentication before redirecting. If the user is not authenticated, redirect to a session-idle-timeout page.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.