lior
Reputation: 1187
Spring security creation of new session
I'm using spring security. I have this scenario:
- create 2 users
- login with the first and login again with the second before the session of user 1 expires
The correct behavior is that the first session is set expired and anew session is created.
Which spring security part is in charge of doing the expiration and creation of new session? the success handler/ authentication provider?
Upvotes: 0
Views: 1359
Answers (1)
We are Borg
Reputation: 5313
I presume this is what you are looking for, if not, please let me know, I will delete my answer. You need something for session management. I have the XML code this way.
<security:session-management session-fixation-protection="migrateSession">
<security:concurrency-control session-registry-ref="sessionRegistry" max-sessions="1" expired-url="/login"/>
</security:session-management>
Also the class below for sessionRegistry :
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(final HttpSecurity http) throws Exception {
http.sessionManagement().maximumSessions(-1).sessionRegistry(sessionRegistry());
}
@Bean
public SessionRegistry sessionRegistry() {
return new SessionRegistryImpl();
}
}
Instead of migrateSession, you can use newSession, that way, old session will be automatically expired and a fresh one will be created.
Upvotes: 1
Related Questions
- Session management using spring security
- Spring session creation policy per-request?
- Spring Session and Spring Security
- REST - Creating session
- how can I create a session on spring security from the backend?
- Spring 4 - Session Management
- Avoid create session in Spring
- Spring - Best way to control session creation
- Spring security with different type of sessions
- Spring security session creation