fix: include server time in cookie and sessionTimeout in systemInfo

kabaros · web-flow · commit bc5bfc266e50 · 2026-02-19T14:14:48.000Z
* fix: expose sessionTimeout in system/info endpoint

* fix: include server time in SESSION_EXPIRE cookie
diff --git a/dhis-2/dhis-api/src/main/java/org/hisp/dhis/system/SystemInfo.java b/dhis-2/dhis-api/src/main/java/org/hisp/dhis/system/SystemInfo.java
@@ -62,6 +62,7 @@ public final class SystemInfo {
   @JsonProperty private final String dateFormat;
   @JsonProperty private final Date serverDate;
   @JsonProperty private final String serverTimeZoneId;
+  @JsonProperty private final int sessionTimeout;
   @JsonProperty private final String serverTimeZoneDisplayName;
   @JsonProperty private final Date lastAnalyticsTableSuccess;
   @JsonProperty private final String intervalSinceLastAnalyticsTableSuccess;
diff --git a/dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/system/DefaultSystemService.java b/dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/system/DefaultSystemService.java
@@ -124,6 +124,7 @@ public SystemInfo getSystemInfo() {
         .capability(capabilityProvider.getSystemCapability())
         .calendar(calendarService.getSystemCalendar().name())
         .dateFormat(calendarService.getSystemDateFormat().getJs())
+        .sessionTimeout(dhisConfig.getIntProperty(ConfigurationKey.SYSTEM_SESSION_TIMEOUT))
         .serverDate(now)
         .serverTimeZoneId(tz.getID())
         .serverTimeZoneDisplayName(tz.getDisplayName())
diff --git a/dhis-2/dhis-web-api/src/main/java/org/hisp/dhis/webapi/filter/SessionTimeoutHeaderFilter.java b/dhis-2/dhis-web-api/src/main/java/org/hisp/dhis/webapi/filter/SessionTimeoutHeaderFilter.java
@@ -64,8 +64,12 @@ protected void doFilterInternal(
       long expiresEpochSecond = Instant.now().plusSeconds(maxInactiveInterval).getEpochSecond();
       SessionCookieConfig sessionCookieConfig =
           request.getServletContext().getSessionCookieConfig();
+      String cookieValue =
+          String.format(
+              "server-time:%s/session-expiry:%s",
+              Instant.now().getEpochSecond(), expiresEpochSecond);
       ResponseCookie cookie =
-          ResponseCookie.from(COOKIE_NAME, String.valueOf(expiresEpochSecond))
+          ResponseCookie.from(COOKIE_NAME, cookieValue)
               .maxAge(maxInactiveInterval)
               .path("/")
               .httpOnly(false)
