Skip to content

Session API doesn't clarify behavior for maxInactiveInterval of 0 #1192

New issue
New issue
Open
Open
Session API doesn't clarify behavior for maxInactiveInterval of 0#1192
Labels
in: core
@vpavic

Description

@vpavic
vpavic
opened on Sep 12, 2018

See the following snippets from our Session API:

spring-session/spring-session-core/src/main/java/org/springframework/session/Session.java

Lines 135 to 142 in 5d0775b

/**
* Sets the maximum inactive interval between requests before this session will be
* invalidated. A negative time indicates that the session will never timeout.
*
* @param interval the amount of time that the {@link Session} should be kept alive
* between client requests.
*/
void setMaxInactiveInterval(Duration interval);

spring-session/spring-session-core/src/main/java/org/springframework/session/Session.java

Lines 144 to 151 in 5d0775b

/**
* Gets the maximum inactive interval between requests before this session will be
* invalidated. A negative time indicates that the session will never timeout.
*
* @return the maximum inactive interval between requests before this session will be
* invalidated. A negative time indicates that the session will never timeout.
*/
Duration getMaxInactiveInterval();

So the API defines negative value as never timeout and says nothing on 0 value. In practice, I believe we treat 0 as expire now but need to verify this for all SessionRepository implementations.

OTOH the Servlet API's HttpSession says the following:

/**
 * Specifies the time, in seconds, between client requests before the 
 * servlet container will invalidate this session. 
 *
 * <p>An <tt>interval</tt> value of zero or less indicates that the
 * session should never timeout.
 *
 * @param interval		An integer specifying the number
 * 				of seconds 
 */    
public void setMaxInactiveInterval(int interval);
/**
 * Returns the maximum time interval, in seconds, that 
 * the servlet container will keep this session open between 
 * client accesses. After this interval, the servlet container
 * will invalidate the session.  The maximum time interval can be set
 * with the <code>setMaxInactiveInterval</code> method.
 *
 * <p>A return value of zero or less indicates that the
 * session will never timeout.
 *
 * @return		an integer specifying the number of
 *			seconds this session remains open
 *			between client requests
 *
 * @see		#setMaxInactiveInterval
 */
public int getMaxInactiveInterval();

With that in mind, the issue is that HttpSessionAdapter effectively doesn't respect the Servlet API by doing this:

spring-session/spring-session-core/src/main/java/org/springframework/session/web/http/HttpSessionAdapter.java

Lines 98 to 106 in 5d0775b

@Override
public void setMaxInactiveInterval(int interval) {
this.session.setMaxInactiveInterval(Duration.ofSeconds(interval));
}
@Override
public int getMaxInactiveInterval() {
return (int) this.session.getMaxInactiveInterval().getSeconds();
}

Another API to consider here is WebSession, which also doesn't clarify behavior for 0 value.

/cc @rwinch

Metadata

Metadata

Assignees

No one assigned

    Labels

    in: core

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions