Managing Web Application Sessions with Spring Security

Session Creation Policies

Spring Security provides several session creation policies that control how sessions are handled:

  • stateless: Spring Security does not create or utilize any session. This is ideal for stateless API applications and helps conserve server resources.

To configure session creation strategy, extend WebSecurityConfigurerAdapter and override the configure(HttpSecurity http) method:

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.sessionManagement()
        .sessionCreationPolicy(
            SessionCreationPolicy.IF_REQUIRED
        );
}

Note: This configuration only governs how Spring Security creates and uses sessions. It does not control the entire application. Without explicit configuration, Spring Security may not create sessions, but the application itself might create them (typically managed through Spring Session for Spring applications).

Session Timeout Management

3.1 Handling Session Timeout

When a session expires, applications typically redirect users to a specific URL displaying a timeout message. This can be achieved with the following configuration:

http.sessionManagement()
    .expiredUrl("/sessionExpired.html")
    .invalidSessionUrl("/invalidSession.html");

3.2 Configuring Session Timeout Duration

In Spring Boot applications, there are two ways to configure session timeout, and Spring Security fully supports both. When a session times out, users must re-authenticate to access protected resources:

server.servlet.session.timeout=15m
spring.session.timeout=15m

The first property is Spring Boot's native session timeout configuration. The second applies when using Spring Session for distributed session management. When both are present, the second property takes precedence.

Session Fixation Protection

Session fixation protection prevents malicious users from hijacking valid user sessions through cookie theft. By default, Spring Security enables migrateSession protection. With this strategy, each successful authentication for the same session ID creates a new HTTP session, invalidating the old one while preserving its attributes in the new session.

http.sessionManagement()
    .sessionFixation()
    .migrateSession();

Two alternative options are available:

  • none: The original session remains valid after authentication
  • newSession: Creates a fresh session without copying any attributes from the previous one

Cookie Security Configuration

Since session security heavily depends on cookie integrity, securing cookies is essential. In Spring Boot, this can be configured directly:

server.servlet.session.cookie.http-only=true
server.servlet.session.cookie.secure=true

The http-only flag prevents client-side scripts from accessing cookies, while the secure flag ensures cookies are only transmitted over HTTPS connections.

Tags: Spring Security Session Management Web Security Spring Boot

Posted on Fri, 15 May 2026 08:00:00 +0000 by lordfrikk

Hot Tags

©2026 Freaks City