How to Prevent Spring Security Session Timeout Redirects in NW.js Apps

Environment: Spring Boot 2.2.11.RELEASE + Spring Security 5.2.7.

Background: A project built with NW.js uses Spring Security for user login. An inactivity timeout of two hours automatically redirects the system to the login page, which disrupts users who keep their computers on 24/7.

Investigation reveals that Spring Security saves the original request in the HTTP session and, after successful authentication, retrieves it to perform a redirect. The key classes involved are AbstractAuthenticationProcessingFilter , SavedRequestAwareAuthenticationSuccessHandler , and HttpSessionRequestCache .

The default session timeout is 30 minutes. The author initially extended the session validity to one day, which reduced complaints, but some users still experienced redirects after several days of inactivity.

Solution: Define a custom AuthenticationSuccessHandler in the HttpSecurity configuration to capture the user's last page URL and pass it as a parameter during the NW.js redirect, avoiding reliance on the session expiration.

Configuration example (image):

Code that stores the saved request in the session:

DefaultSavedRequest savedRequest = new DefaultSavedRequest(request,portResolver);
if (createSessionAllowed || request.getSession(false) != null) {
    request.getSession().setAttribute(this.sessionAttrName, savedRequest);
    logger.debug("DefaultSavedRequest added to Session: " + savedRequest);
}

By passing the original page address as a parameter during the NW.js redirect, the application can restore the user's context even after the session has expired.