strange behaviour spring security session concurrency

Question

i find that spring security, session concurrency is very strange.

<sec:session-management>
        <sec:concurrency-control max-sessions="1" error-if-maximum-exceeded="true" />
</sec:session-management>

the code means that, just only one user can log in in time.

1. i successfully login, than hit logout button. log out is successfully (i don't get my username anymore). but when i try to relogin, i just get exception that maximum session exceeded. is session in spring security is not deleted clearly?
2. i finish login. and i with out log out, i try to login again. i still can login. but when the second time i to relogin, i get exception that maximum session exceeded. i think it should be rejected to login when first time try to relogin.

thanks for your response Best regards

Answer 1

Make sure you didn't forget to configure a listener in web.xml, as required for session management:

<listener>
    <listener-class>
        org.springframework.security.web.session.HttpSessionEventPublisher
    </listener-class>
</listener>

Answer 2

I think Raghuram is right.

You try following:

<logout invalidate-session="true" logout-url="/logout.htm"
logout-success-url="/login.jsp?loggedout=true" />

Here I am invalidating session on logout and redirecting user to login page. Hope this is helpful. If this is not the case then let me know.

Answer 3

I guess spring security has not been told to invalidate the current session on logout. This can be done by <logout> element as documented here