Spring Security doesn't kill session when browser closes

Question

I am using Spring Security 3.1 and am using

 <concurrency-control max-sessions="1" error-if-maximum-exceeded="true" />

• I open a browser and log in (Ex. IE9)
• I close that browser
• I open a different browser (Ex. Firefox)
• I cannot log in because I am still logged in on the other browser

Is there a way to force the session to close when the browser closes? I need to keep the max-sessions to 1 for concurrency control.

Thanks!

Answer 1

I had similar issue, like

1. If you logged in with some user say zzzz
2. You closed the browser
3. Again trying to login with same user zzzz
4. It failed to login with message for maximum session exceeded

The code I have on my spring security file is:

<session-management invalid-session-url="/?timeout=true">
<concurrency-control max-sessions="1" expired-url="/logout?timeout" />

I solved this issue by adding the session timeout entry in web.xml file. I put the session timeout value as 5 min, build the application and deployed. Its working fine.

Might be this will help someone.

Thanks, Atul

Answer 2

I would add a custom filter of my own just before the "CONCURRENT_SESSION_FILTER" and check in the request URI for a string like "force-logout.do" (or something similar).

Then, in the HTML generated I would have a JavaScript event handler like the following:

<script type="text/javascript">
function force_logout() {
  // AJAX request to server notifying that the browser has been closed.
}
</script>

<body onbeforeunload="force_logout();">
</body>

That would work for IE and Firefox (you should check other browsers as well). Your filter just needs to check the URI and perform a session.invalidate() in case it matches the "force logout URI" and return immediately or just bypass the request to the filter chain otherwise.

NOTE: I'm not adding the AJAX code since I don't know if you are using a specific AJAX framework. With prototype.js it would be fairly simple.