-
Notifications
You must be signed in to change notification settings - Fork 1.1k
Description
See the following snippets from our Session
API:
spring-session/spring-session-core/src/main/java/org/springframework/session/Session.java
Lines 135 to 142 in 5d0775b
/** | |
* Sets the maximum inactive interval between requests before this session will be | |
* invalidated. A negative time indicates that the session will never timeout. | |
* | |
* @param interval the amount of time that the {@link Session} should be kept alive | |
* between client requests. | |
*/ | |
void setMaxInactiveInterval(Duration interval); |
spring-session/spring-session-core/src/main/java/org/springframework/session/Session.java
Lines 144 to 151 in 5d0775b
/** | |
* Gets the maximum inactive interval between requests before this session will be | |
* invalidated. A negative time indicates that the session will never timeout. | |
* | |
* @return the maximum inactive interval between requests before this session will be | |
* invalidated. A negative time indicates that the session will never timeout. | |
*/ | |
Duration getMaxInactiveInterval(); |
So the API defines negative value as never timeout and says nothing on 0 value. In practice, I believe we treat 0 as expire now but need to verify this for all SessionRepository
implementations.
OTOH the Servlet API's HttpSession
says the following:
/**
* Specifies the time, in seconds, between client requests before the
* servlet container will invalidate this session.
*
* <p>An <tt>interval</tt> value of zero or less indicates that the
* session should never timeout.
*
* @param interval An integer specifying the number
* of seconds
*/
public void setMaxInactiveInterval(int interval);
/**
* Returns the maximum time interval, in seconds, that
* the servlet container will keep this session open between
* client accesses. After this interval, the servlet container
* will invalidate the session. The maximum time interval can be set
* with the <code>setMaxInactiveInterval</code> method.
*
* <p>A return value of zero or less indicates that the
* session will never timeout.
*
* @return an integer specifying the number of
* seconds this session remains open
* between client requests
*
* @see #setMaxInactiveInterval
*/
public int getMaxInactiveInterval();
With that in mind, the issue is that HttpSessionAdapter
effectively doesn't respect the Servlet API by doing this:
Lines 98 to 106 in 5d0775b
@Override | |
public void setMaxInactiveInterval(int interval) { | |
this.session.setMaxInactiveInterval(Duration.ofSeconds(interval)); | |
} | |
@Override | |
public int getMaxInactiveInterval() { | |
return (int) this.session.getMaxInactiveInterval().getSeconds(); | |
} |
Another API to consider here is WebSession
, which also doesn't clarify behavior for 0 value.
/cc @rwinch