Invalidating session in spring
This means that after 30 minutes of not doing anything on the website, user’s session will be invalidated and any action taken redirects user into login page.Remember, that if you set session timeout property to value -1, the session will never be invalidated. Another configuration worth paying attention to is concurrency control strategy defined inside Spring Security XML configuration file.The application is deployed into multiple JBoss AS instances on multiple machines.
The steps were prepared based on the real experience with finding out the root cause of unexpected users’ logouts in my Spring MVC web application.
As for Spring MVC you can influence session management with tag inside
One of the first things that I checked during investigation was session timeout configuration under this tag.
Again, my application did not have that kind of mechanisms, yet still I made myself sure about it during investigation.
Do the same and if you find one, pay a lot of attention to it.