Skip to content

BUG: Inconsistent TTL on Session Expiration Sets leading to increasing orphaned keys #3477

New issue
New issue
Open
Open
BUG: Inconsistent TTL on Session Expiration Sets leading to increasing orphaned keys#3477
Labels
status: waiting-for-triageAn issue we've not yet triaged
@RoshanKumarChoudhary

Description

@RoshanKumarChoudhary
RoshanKumarChoudhary
opened on Oct 15, 2025

spring-session/spring-session-data-redis/src/main/java/org/springframework/session/data/redis/RedisIndexedSessionRepository.java

Line 1044 in e87be43

expireOperations.add(keyToExpire);

The current implementation of MinuteBasedRedisSessionExpirationStore does not apply a “safety net” Time-To-Live (TTL) to the expiration tracking SET.

Looking at the save method, we can see that the line

this.redis.boundSetOps(expirationsKey).expire(fiveMinutesAfterExpires, TimeUnit.SECONDS);

does not set the expiry when the key is created for the first time. It only updates the TTL for subsequent keys that fall within the same minute.

I assume this behavior is intentional—to refresh the TTL for an already existing SET key. However, the issue is that when the SET is saved for the first time, it has no TTL applied, which can lead to orphaned keys accumulating over time.

The following snippet shows where the TTL should likely be added:

BoundSetOperations<String, Object> expireOperations = this.redis.boundSetOps(expireKey);
expireOperations.add(keyToExpire);

It seems that the following line is missing:

expireOperations.expire(fiveMinutesAfterExpires, TimeUnit.SECONDS);

Could you please confirm if my understanding is correct and whether this could be a potential bug in the implementation?

Metadata

Metadata

Assignees

No one assigned

    Labels

    status: waiting-for-triageAn issue we've not yet triaged

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions