Reputation: 165
How to ensure the same account is not used to log in two different people at the same time in Spring Security?
I have a Spring MVC app that does not protect updates of user data with transactions.
It assumes that only a single user is accessing the account data for that account at any one time.
However, if two users were to log in using the same authentication credentials, it is theoretically possible, although unlikely, for two database updates on the same user data to overlap and conflict.
Is there a simple way to protect against this in Spring Security?
Upvotes: 2
Views: 805
Answers (3)
Reputation: 3
The answer from Aaron Digulla is the best one. The suggestion from BalusC is not good because if someone steals your login credentials then he can gain access to the system and the legitimate user will be logged out. If that person is meant for evil then he can change the password and the legitimate user can't access his/her account anymore.
The best way is what Aaron suggested.
Upvotes: 0
Reputation: 242686
Spring Security supports protection against concurrent logins. See 2.3.3 Session Management for instructions of how to enable it.
Upvotes: 7
Reputation: 328536
Add a column to the user database called "logged in". If that value is set, then refuse a second login.
Upvotes: 2
Related Questions
- Disable multiple logins for same user in spring security + spring boot
- How to prevent multiple login in Spring Security
- Spring Security multiple logged users fail
- Spring Security+Spring 4- Disable muti login for same user
- How to block multiple logins using Spring-security?
- Spring security - login 2 consecutive times behaviour
- Only allow 1 user login in Spring Sercurity
- Concurrent user Login in spring mvc
- How does Spring Security differentiate between multiple logged in user
- How to allow multiple sign in in Spring security?