Reputation: 1213
How Invalidate users sessions when makes logout?
I spent a lot of time to solve this problem, yet still couldn't get it work.
I am using Spring Security. The application will run on multiple servers. I use the option "remember me" on login to save persistent logins in my database.
If a user is connected to server 1, he has a session id in cookies browser. I turn on another server and this user makes authentication and the cookies browser have this session id and the session id of server 1 connection.
When this user logs out in one server or another server, he should be redirected to login page in all servers.
I tried to remove cookies from browser without success. How can I make this work? Any help?
Example scenario: In gmail, if you have 2 tabs open in your account and if you log out from one of them, other tab automatically logs out too. The server 1 doesn't know the information of server 2.. I think my problem is here but I don't know how I can solve this.
This is my security config:
<http auto-config="false" use-expressions="true" disable-url-rewriting="true">
<intercept-url pattern="/login.do" access="permitAll" />
<intercept-url pattern="/**" access="hasRole('ROLE_USER')" />
<remember-me data-source-ref="dataSource" />
<form-login login-page="/login.do" />
<custom-filter position="CONCURRENT_SESSION_FILTER" ref="concurrencyFilter" />
<custom-filter position="LOGOUT_FILTER" ref="logoutFilter" />
<session-management session-authentication-strategy-ref="sas" />
</http>
<!-- <logout logout-url="/j_spring_security_logout" logout-success-url="/" invalidate-session="true" /> -->
<beans:bean id="logoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter">
<beans:constructor-arg value="/login.do" />
<beans:constructor-arg>
<beans:list>
<beans:ref bean="rememberMeServices"/>
<beans:ref bean="logoutHandler"/>
</beans:list>
</beans:constructor-arg>
<!-- <beans:property name="filterProcessesUrl" value="/login.do" /> -->
</beans:bean>
<beans:bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl" />
<beans:bean id="concurrencyFilter" class="org.springframework.security.web.session.ConcurrentSessionFilter">
<beans:property name="sessionRegistry" ref="sessionRegistry" />
<beans:property name="expiredUrl" value="/login.do" />
</beans:bean>
<beans:bean id="sas" class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">
<beans:constructor-arg name="sessionRegistry" ref="sessionRegistry" />
<beans:property name="maximumSessions" value="1" />
</beans:bean>
<authentication-manager alias="authenticationManager">
<authentication-provider user-service-ref="jdbcUserService" />
</authentication-manager>
Upvotes: 2
Views: 16813
Answers (2)
Reputation: 24040
Here are 3 solutions for your multiple-server scenario:
Use sticky sessions on your load balancer so the user keeps going back to the same server. Then you just invalidate the session when they log out. This is usually coupled with a session failover solution (Tomcat example) so if a server goes down a user can get redirected to a new server that picks up their old session.
Use a distributed cache for sessions (for example Terracotta Web Sessions). Then when they logout invalidate the session and it will be invalidated everywhere.
Another solution is to use a customized Spring Security TokenBasedRememberMeServices as your "login" cookie. If the user does not select remember me, go ahead and set the cookie, but make it a browser session cookie instead of a persistent cookie. All servers will recognize the user and create a session for it. When the user logs out, drop the cookie. You'll also need a custom RememberMeAuthenticationFilter that looks for a authentication token in the session and a missing RememberMe cookie, invalidating the session and clearing security context if that is the case.
Upvotes: 5
Reputation: 9697
I would recommend you to have a look at SessionRegistry .You can check this here . There has been a discussion on this at Is it possible to invalidate a spring security session? . Check this out too
Spring sessions are stored as JsessionID cookies. Check here for a discussion on cookie removal.
The same query has been discussed at Invalid a session when user makes logout (Spring).
Upvotes: 1
Related Questions
- Spring security: Delete cookie for logout
- Removing user login credentials from session when user logout in spring-security
- how to invalidate session in spring mvc for implementing logout
- Spring Security Logout session is not invalidated
- logout specific session Id in spring security
- how to invalidate session in spring mvc for implementing logout functionality
- setting logout invalidate-session to false
- How to invalidate session on logout in Spring
- Spring Security session invalidation via logout
- How to handle logout in spring application