Springboot app session timeout

spring boot default session timeout
spring session timeout
spring boot session timeout redirect to login page
spring boot session timeout listener
session timeout in spring security example
session timeout in spring mvc
spring boot request timeout
spring.session.redis.namespace not working

I have created a SpringBoot MVC/Security app 1.2.2.RELEASE and my application.properties contains server settings like

#Tomcat port and contextPath details

The documentation states

server.session-timeout= # session timeout in seconds

but the ServerProperties.java uses sessionTimeout;

If you look at the application.properties code I have posed, I have tried both independently and together, but I don't get timed out after 2 minutes, I don't have any other code explicitly written to perform any session handeling.

Has anyone come across this issue? What am I missing or doing wrong?

I don't know for some reason only setting


didn't work for me however, when I set both session timeout and cookie max age like below:


it works perfectly

Session Timeout in the web.xml of a Java Servlet web application, and course, focused on the fundamentals of Spring 5 and Spring Boot 2:. Krishna, it depends on what version of Spring Boot you are using. The server.session.timeout no longer works in Spring 2.x, which requires server.servlet.session.timeout. Keep in mind this will only work in embedded Tomcat, not standalone. For that, you have to manually set the session timeout in the Tomcat server.xml.

I'm not sure what this server.session.timeout is for because when I set it to a specific number, and monitor the session creation, the session expiry does not get changed.

I'm using spring session and redis integration, in my case, I need to set the maxInactiveIntervalInSeconds to be like 120(seconds), this can be done thru redisHttpSessionConfiguration.

And then if I go to redis to look for the session, I can see it's expiry is changed to 120 seconds and session timeout works.

One suggestion of mine would be that try to find out if you can configure the session's maxInactiveIntervalInSeconds(or similar) either programmatically or in the property file and monitor session changes.

For a more stateless application, the “never” option will ensure that Spring Security itself will Configure the Session Timeout with Spring Boot. If you are using spring boot, then as of version 1.3 it will automatically sync the value with the server.session.timeout property from the application configuration. Note that one of the shortcomings when using spring session is that javax.servlet.http.HttpSessionListeners are not invoked.

(This applies to Spring 1.5.x at the time of this writing)

Note that if you're using Redis session @EnableRedisHttpSession (such as in the other comment @Phoebe Li's case), then the application property server.session won't be applied. You'll have to set it manually by code like this:

public class HttpSessionConfig {
    public RedisOperationsSessionRepository sessionRepository(RedisConnectionFactory factory) {
        RedisOperationsSessionRepository sessionRepository = new RedisOperationsSessionRepository(factory);

        //Set the TTL of redis' key, which in turn will expire session when TTL is reached
        sessionRepository.setDefaultMaxInactiveInterval(15); //e.g. 15 seconds

        return sessionRepository;

You can configure HTTP Session Timeout for Spring Boot Applications in two ways: Configuring Session Timeout in application.properties. In this post we will be implementing Session Management using Spring Boot. For this tutorial we will be making use of JDBC as the data store for persisting Spring Session information. In the next tutorial we will be making use of Redis as the data store for storing Spring Boot Session information. First let us have a look at what is session

You can try with adding this both statements.


You can find complete example on my blog here: http://www.onlinetutorialspoint.com/spring-boot/how-to-set-spring-boot-tomcat-session-timeout.html

In this tutorials, I am going to show how to set/change Tomcat session timeout in Spring boot application. Spring boot session time out example  So it would appear that to get the Embedded Tomcat to honor a session timeout, when you use the server.session-timeout value, use it in minutes, not seconds. My previous attempts were with server.session-timeout=300 and after waiting at least 45 minutes, the timeout never occurred.

In application.yml of my Spring Boot 2 app

# A negative value means that the cookie is not stored persistently and will be deleted when the Web browser exits
        max-age: -1
      timeout: -1

With these settings JSESSIONID cookie expiration time is set to "When the browsing session ends".

We live in a nice time, when you can develop a Spring application using java based configuration. No redundant XML code any more, just pure  the session timeout property says: server.session.timeout= # Session timeout in seconds. So, I want to make the session to timeout after 5 seconds by using: server.session.timeout=5 but the session is not expiring, also waited for 5min but didn't expire either. I am using SprintBoot version 1.4.1.RELEASE with an embedded Tomcat.

I configured my Spring Boot app based on https://docs.spring.io/spring-session/​docs/current/reference/html5/guides/boot-redis.html, however  Configure the Session Timeout with Spring Boot We can easily configure the Session timeout value of the embedded server using properties: server.servlet.session.timeout=15m If we don't specify the duration unit, Spring will assume it's seconds.

Exception handling configuration in the application context <bean class="​org. The httpsession-jdbc-boot Sample Application demonstrates how to use Spring Session to transparently leverage an H2 database to back a web application’s HttpSession when you use Spring Boot. 5.1. Running the httpsession-jdbc-boot Sample Application

server.session.timeout has been used to configure session timeout in spring boot application in application.properties file. server.session.timeout consider as seconds in the server configuration. This configuration is common for all server like tomcat, jetty, undertow.

  • Boot's relaxed binding means that both server.sessionTimeout and server.session-timeout will configure ServerProperies' sessionTimeout property. Note that the unit is seconds, not minutes.
  • @Andy, thanks for the information, but that still does not explain why I don't get a time out, even if I set the value to 120 sec (2 minutes)
  • That's why it's a comment rather than an answer
  • According to this, the timeout is not expressed in number of minutes: stackoverflow.com/questions/24561915/…
  • Why would you get a timeout? The session will be cleaned up, if you are mixing this with Spring Security (not apparent from your question) it might be that that is configured wrongly. Also the timeout is ~ 2 minutes, depending on when the reaper thread is running, instead of 2 minutes it could actually be 3 minutes depending on the thread cleaning up the sessions.
  • it works because browser invalidates the cookie and doesn't send it to the server, therefore the server can't find the session
  • This way, the cookie gets invalidated, regardless of activity, therefore, you may be logged out while you are filling a form, and by the time you submit, you will be redirected.