CODEWITHSUNDEEP
springspring-bootspring-mvcauth0session-management
suresh
suresh

Reputation: 1

User sessions overlap in Spring MVC with Auth0 integration

I am facing an issue with user sessions in Spring MVC java web app. User sessions are overlapped

Ex: Here we have 2 completely different users using different browsers, john@yahoo.com is using Chrome and sara@yahoo.com is using Edge. The behavior that we have noticed is that Sara's session in the Edge browser is overlapping John's session in Chrome... So sara is seeing John's profile in her browser window

Controller endpoint:

@RequestMapping(value = { "/" }, method = RequestMethod.GET)
    public void loancenter(HttpServletRequest request, HttpServletResponse response) throws IOException {
        try {
            String redirectUri = config.getContextPath(request) + "/test/callback";
            String authorizeUrl = authenticationController.buildAuthorizeUrl(request, response, redirectUri)
                    .withScope("openid name email family_name address phone_number user_id profile identities").build();
            response.sendRedirect(authorizeUrl);
            
        } catch (Exception e) {
            LOG.info("Login page error");
            response.sendRedirect(config.getContextPath(request) + "/test");
        }
    }

@RequestMapping(value = "/callback", method = RequestMethod.GET)
    public void callback(HttpServletRequest request, HttpServletResponse response)
            throws IOException, IdentityVerificationException {
        try {
            Tokens tokens = authenticationController.handle(request, response);
            
            DecodedJWT jwt = JWT.decode(tokens.getIdToken());
            List<GrantedAuthority> grantedAuths = new ArrayList<GrantedAuthority>();
            grantedAuths.add(new SimpleGrantedAuthority("ROLE_USER"));
            Authentication auth = new UsernamePasswordAuthenticationToken(jwt.getSubject(), jwt.getToken(), grantedAuths);
            request.setAttribute("email", jwt.getClaims().get("email").asString());
            
            SecurityContextHolder.getContext().setAuthentication(auth);
            response.sendRedirect(config.getContextPath(request) + "/test/home.do");
        } catch (Exception e) {
            LOG.info("callback page error");
            response.sendRedirect(config.getContextPath(request) + "/test");
        }
    }

SecurityConfigurations:

@Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf()
            .disable()
            .addFilterAfter(new MyCustomFilter(), UsernamePasswordAuthenticationFilter.class);
        
        http.authenticationProvider(getAuthenticationProvider())
            .authorizeRequests()
            .antMatchers("/callback", "/", "/auth0/authorize", "/resources/**", "/public/**", "/static/**")
            .permitAll()
            .anyRequest()
            .authenticated();
        
      http.formLogin()
          .successHandler(getUserLoginHandler());
        
      http.logout()
          .invalidateHttpSession(true)
          .logoutSuccessUrl("/logout.do")
          .addLogoutHandler(getUserLogoutHandler());


      http.sessionManagement()
          .sessionCreationPolicy(SessionCreationPolicy.NEVER)
          .sessionFixation().newSession()
          .maximumSessions(1)
          .maxSessionsPreventsLogin(true)
          .expiredUrl("/login?invalid-session=true");
    }

Can someone please help me to fix this issue?

Thanks in advance!

Upvotes: 0

Views: 191

Answers (0)

Related Questions