Add getCreationTime() to SessionInformation for enhanced session lifecycle support

[sweidner-rio]

Summary

I'd like to propose adding a getCreationTime() method to the org.springframework.security.core.session.SessionInformation interface to enhance session lifecycle visibility and control. See also the discussion with @jgrandja in auth_time claim doesn't show the time of the original authentication. #2035

Motivation Currently, SessionInformation provides metadata such as the session ID, principal, last request time, and expiration status, but it lacks the creation timestamp of the session.

Adding getCreationTime() would provide key benefits for a variety of real-world use cases:

Use Cases

1. Auditing & Compliance

• Enable "Who logged in when?" tracking.
• Useful for audit trails in regulated environments.

2. Custom Session Expiration Rules based on creation time

3. Session Monitoring & Admin Tools

• Example session display: "User X has been logged in since 08:12, last activity at 08:55."

4. OpenID Connect Support

• Support for auth_time claim in ID Tokens.
• Easier implementation of the max_age query parameter in OIDC requests (see: OpenID Connect Core 1.0 – §3.1.2.1 ).

[therepanic]

I read the discussion and that's a really good feature. If no one objects, I could implement it

[jgrandja]

@sweidner-rio Thanks for logging the details. Instead of getCreationTime() let's introduce getCreatedTime().

@therepanic Thanks for the offer. I assigned the issue to you.