Enforce separate sessions for different tabs in spring security

Question

I am using spring security v 3.1.3 in my web application. The app has a single entry login form customized with custom-filter in spring security. For now, my configurations are allowing a user to automatically log in the app if he opens the URL from a different tab in same browser, which is the default behavior of spring security session management.

I want to ensure that whenever a user log into the application, the session should not get shared across different tabs. On opening a new tab, he should get login page and logging in would create a new session in the same browser. For now i could not find any way to do this with spring security framework. I wouldn't mind integrating JsessionID in URLs, but it would be better if there is another way.

Answer 1

You can make use of HeaderWebSessionIdResolver. Spring uses CookieWebSessionIdResolver by default.

To make use of it, use a random sessionId and save it in session storage, and send it along with your headers. This will vary across tabs, and will provide you with different web sessions.

val headerName = "SomeHeaderName"

@Configuration
class SessionConfig {

    @Bean
    fun headerWebSessionIdResolver(): WebSessionIdResolver {
        return HeaderWebSessionIdResolver().apply {
            headerName = headerName
        }
    }

    @Bean
    fun webSessionManager(webSessionIdResolver: WebSessionIdResolver): DefaultWebSessionManager {
        return DefaultWebSessionManager().apply {
            sessionIdResolver = webSessionIdResolver
        }
    }
}

Answer 2

This is not a limitation on Spring Security, this is a general limitation of how the browsers work with cookies; if you set a cookie it's going to be shared by all tabs.

Said that the only reasonable option I can think of right now would be to include the session id in the URL as you suggested.