1

How can I deny a second log in (with same or different user) to a already authenticated HTTP session?

For Form-Login I found following work-arounds:

But these work-arounds are not perfect, because I can still access the login-processing-url and execute a second log in. That is a problem for all authentication mechanisms without a login page, like HTTP Basic Authentication and Kerberos.

My Java Configuration:

@Configuration
@EnableWebSecurity
public static class MyWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {

    protected void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests()
                .antMatchers("/**").hasAuthority("ROLE_user")
                .and()
            .formLogin()
                .loginProcessingUrl("/Login").permitAll()
                .loginPage("/index.jsp").permitAll()
                .defaultSuccessUrl("start.jsp")
                .failureUrl("/index.jsp")
                .and()
            .httpBasic();
    }
}

Example:

  1. User A: Logs in with HTTP Basic Authentication.
  2. System: Creates a session and returns a session cookie.
  3. User B: Logs in with HTTP Basic Authentication on same machine and sends session cookie.
  4. System: Creates a new session, merges all values from old session into new session (see SessionFixationProtectionStrategy), destroys old session and returns new session cookie.
Community
  • 1
  • 1
dur
  • 15,689
  • 25
  • 79
  • 125
  • Implement custom `SessionAuthenticationStrategy`. – Aleksandr M Jan 11 '16 at 11:44
  • @Aleksandr M: Thank you. Maybe I could check, if the session is already authenticated and throw an exception. But at the moment I'm not sure that the `SessionAuthenticationStrategy` is executed before `BASIC_AUTH_FILTER` in filter chaein. I will read the Spring Security Reference and try to implement it. – dur Jan 11 '16 at 12:21

1 Answers1

0

put following entry in web.xml

<listener>
  <listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
</listener>

and in your spring security config, use the following snippet:

<http>
  <session-management>
    <concurrency-control max-sessions="1" expired-url="/redirect-page" />
  </session-management>
</http>
techie2k
  • 559
  • 1
  • 6
  • 32
  • Your solution has two disadvantages: 1. The user cannot log in twice with seperated sessions. 2. It works only for the same user, a different user can still use the same session. I will update my question, to make it clear. – dur Jan 11 '16 at 11:39
  • M. Deinum: Sure, I'm authenticated after log in, but with another user. That's the problem. I don't want to share a session (or merge) with to users. – dur Jan 11 '16 at 12:23