Manullay invalidating session values on session time out
Again, my application did not have that kind of mechanisms, yet still I made myself sure about it during investigation.Do the same and if you find one, pay a lot of attention to it.My assumptions were denied by clients (and by me) so I started looking for the help in the Internet.I was not able to find a clear way to deal with those kind of problems so I prepared a plan to figure out the solution.
Each JBoss instance is balanced by Apache HTTP Server and each of the machines is balanced by load balancer.
This means that after 30 minutes of not doing anything on the website, user’s session will be invalidated and any action taken redirects user into login page.
Remember, that if you set session timeout property to value -1, the session will never be invalidated. Another configuration worth paying attention to is concurrency control strategy defined inside Spring Security XML configuration file.
To give you better view at the infrastructure please take a look at the picture below.
At this point, you are familiar with technical details regarding application so it is high time to look into the plan.