As per OWASP sesssion's must have an absolute timeout which defines the maximum amount of time a session can be active. I know how to set the max inactivity timeout for a spring session using server.servlet.session.timeout however I am not sure how to set the absolute timeout for the session. I guess I could set the Max-Age attribute for the Cookie which would potentially serve as an absolute timeout, however I was wondering if the absolute timeout could be somehow set on the server side session?
This feature is not implemented in Spring sessions.
A request for this feature at https://github.com/spring-projects/spring-session/issues/922 was rejected, with this workaround provided:
You could provide a delegating implementation of the
SessionRepositoryinterface that delegates to another implementation ofSessionRepository(i.e. Redis) and then when it retrieves the session determines if the creation date is past the absolute session timeout. If it is, then you would invalidate the session and return a null value for the lookup.
(More implementation details are discussed in the issue comments.)