@rwinch Any plans to support this for MapSession. Currently, I am using MapSession with Spring Security. Since the Session events are not published, the Spring Security Session Management does not work correctly. Destroyed sessions do not get removed from SessionRegistry. To fix this, i am manually publishing the event in a LogoutHandler.

For my use case, if at least MapSession publishes appropriate events, it would be beneficial.

@aravindanr Typically MapSessionRepository (in particular when using a HashMap) is used for testing purposes due to the fact that it does not work across a cluster.

MapSessionRepository can be used in a cluster when using a distributed Map implementation (i.e. Hazelcast). However, to support session timeouts is very implementation specific so it is unlikely we will be able to support HttpSessionListener in the generic MapSessionRepository.

If HttpSessionListener support cannot be implemented could you consider at least firing Spring Security's HttpSessionCreatedEvent and HttpSessionDestroyedEvent ? Those are helpful to build an in-memory list of HttpSession objects by session id, which I'd like to use in a custom implementation of Spring Security session management own ConcurrentSessionControlAuthenticationStrategy that invalidates sessions on the spot.

Without those two, I can retrieve Spring Session's Session or ExpiringSession objects (wiring SessionRepository in) but then I can't invalidate the session as those objects do not have an invalidate() method.

👍

Unless HttpSessionListener and HttpSessionAttributeListener is supported, documenting alternative solutions is helpful and required.

org.springframework.context.ApplicationListener for org.springframework.session.events.SessionDestroyedEvent is alternative of javax.servlet.http.HttpSessionListener#sessionDestroyed?

The following methods look working:

• javax.servlet.http.HttpSessionListener#sessionCreated
• javax.servlet.http.HttpSessionAttributeListener#attributeAdded

javax.servlet.http.HttpSessionBindingListener dose not seem to work.
So org.springframework.web.context.request.DestructionCallbackBindingListener doesn't work.
This means @PreDestroy annotated session scoped bean doesn't work, right?

👍
We don't have requirement for clustering and use MapSessionRepository as bridge between HttpSessionand WebSocketSessionand we'd like to have metrics on active sessions but HttpSessionListeneris not supported.

@paskos NOTE: You can get active sessions by querying Redis instead

We don't use Redis because we don't need clustering, we use MapSessionRepository

+1

+1 from me.

We use the SessionDestroyedEvent to get information about the user. This information is stored in a "login history table" - so we need the information stored on the Session to build the data.

Happy to use a workaround - but cannot think of one at the moment...

With the attention this is receiving, I believe we will be looking into support for this feature in 1.1 or 1.2 (it really depends on how much time I have). I've been giving this some thought and the way I think we might be able to support this is doing something like this:

UPDATE: I found a link that describes this strategy much better than I did.

If anyone wants to look into submitting a PR it would be most welcome! If you have any questions please don't hesitate to reach out via this issue and mentioning me.

I have moved this to be added in 1.1 M1 since we are going to need to support this feature for #7

I added HttpSessionListener support for the Redis based implementation. To use it you create your HttpSessionListener as a Spring bean instead of registering it with the Servlet Container. Details will be available in the docs as soon as they deploy (about 30 min) at http://docs.spring.io/spring-session/docs/current-SNAPSHOT/reference/html5/#httpsession-httpsessionlistener

@rwinch Does spring-session supports session listener for redis cluster configuration? In our application we are using redis cluster and it seems we are not receiving session-created/session-destroyed call back. We are receiving the session HttpSessionListener call back if we use stand-alone instance of redis server.

@sanketmeghani Yes. You must be using Spring Session 1.1+ You can find additional details at http://docs.spring.io/spring-session/docs/current/reference/html5/#httpsession-httpsessionlistener

@rwinch Thank you for quick response. We are using spring-session 1.2.0.RC1 and spring-data-redis 1.7.0.RC1. Somehow we are not getting the listener call back if we use redis cluster. It works perfect if we use a stand-alone redis server. I have uploaded a sample springSessionContext.xml .

On one of the nodes in redis cluster, we see "SUBSCRIBE" "__keyevent@:expired" "spring:session:event:created:" "__keyevent@*:del" command. So it does subscribe on one node. Should it subscribe to all nodes in the cluster? Or this is expected behavior?

@sanketmeghani Sorry I missed the Redis cluster part. Let's create a distinct issue to discuss this please.

Created a distinct issue #478 to discuss this.