@giangio Strange if the user has an invalid session is they try to access something they don't have access to they should get a 401, which tells your front end that they need to login. If you want your app to actually log out the user when the session is invalid then the front end would need to know that the session invalidation happened, to do that you would have to have a listener for the session being destroyed and then send out a Server side push, WebSocket message or have the frontend periodically poll the backend(long polling). Also found this: https://guides.grails.org/grails4/server-sent-events/guide/index.html If you want to capture the session destroyed event you could use something like list: https://stackoverflow.com/questions/11843010/logout-session-timeout-catching-with-spring-security/18128496#18128496 However rather than dealing with web.xml you would have to register a bean for it in your resources.groovy Spring Session moves your session to a separate data store which can give you greater control over the session, you can also tap into and override how it does things, which I've done to get at various points to get specific logging and capture events.