Skip to content

maxInactiveInterval < 0 but redis session still expired #3362

New issue
New issue
Open
Open
maxInactiveInterval < 0 but redis session still expired#3362
Labels
status: waiting-for-triageAn issue we've not yet triagedtype: bugA general bug
@hdsuperman

Description

@hdsuperman
hdsuperman
opened on Mar 25, 2025

Source:

spring-session/spring-session-data-redis/src/main/java/org/springframework/session/data/redis/RedisIndexedSessionRepository.java

Lines 930 to 962 in 2353d8b

createShadowKey(sessionExpireInSeconds);
long fiveMinutesAfterExpires = sessionExpireInSeconds + TimeUnit.MINUTES.toSeconds(5);
RedisIndexedSessionRepository.this.sessionRedisOperations.boundHashOps(getSessionKey(getId()))
.expire(fiveMinutesAfterExpires, TimeUnit.SECONDS);
RedisIndexedSessionRepository.this.expirationStore.save(this);
this.delta = new HashMap<>(this.delta.size());
}
private void createShadowKey(long sessionExpireInSeconds) {
String keyToExpire = "expires:" + getId();
String sessionKey = getSessionKey(keyToExpire);
if (sessionExpireInSeconds < 0) {
BoundValueOperations<String, Object> valueOps = RedisIndexedSessionRepository.this.sessionRedisOperations
.boundValueOps(sessionKey);
valueOps.append("");
valueOps.persist();
RedisIndexedSessionRepository.this.sessionRedisOperations.boundHashOps(getSessionKey(getId()))
.persist();
}
if (sessionExpireInSeconds == 0) {
RedisIndexedSessionRepository.this.sessionRedisOperations.delete(sessionKey);
}
else {
BoundValueOperations<String, Object> valueOps = RedisIndexedSessionRepository.this.sessionRedisOperations
.boundValueOps(sessionKey);
valueOps.append("");
valueOps.expire(sessionExpireInSeconds, TimeUnit.SECONDS);
}
}

Bug

The following code will always execute, Regardless of whether maxInactiveInterval is less than 0

RedisIndexedSessionRepository.this.sessionRedisOperations.boundHashOps(getSessionKey(getId()))
				.expire(fiveMinutesAfterExpires, TimeUnit.SECONDS);

This code in createShadowKey will always be skipped:

if (sessionExpireInSeconds < 0) {
	...
	RedisIndexedSessionRepository.this.sessionRedisOperations.boundHashOps(getSessionKey(getId()))
		.persist();
}

How to fix

long sessionExpireInSeconds = getMaxInactiveInterval().getSeconds();

createShadowKey(sessionExpireInSeconds);

if (sessionExpireInSeconds > 0) {
    long fiveMinutesAfterExpires = sessionExpireInSeconds + TimeUnit.MINUTES.toSeconds(5);
    RedisIndexedSessionRepository.this.sessionRedisOperations.boundHashOps(getSessionKey(getId()))
	.expire(fiveMinutesAfterExpires, TimeUnit.SECONDS);
}

RedisIndexedSessionRepository.this.expirationStore.save(this);
this.delta = new HashMap<>(this.delta.size());

Metadata

Metadata

Assignees

No one assigned

    Labels

    status: waiting-for-triageAn issue we've not yet triagedtype: bugA general bug

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions