Disable multiple logins for same user in spring security + spring boot

Question

I have the below Spring Security configuration:

static SessionRegistry SR;
@Override
protected void configure(HttpSecurity http) throws Exception {
    http
        .authorizeRequests()
            .antMatchers("/", "/forgotPwd", "/resetPwd").permitAll()
            .anyRequest().authenticated()
            .and()
        .formLogin()
            .loginPage("/login")
            .defaultSuccessUrl("/home")
            .failureUrl("/login?error")
            .permitAll()
            .successHandler(authenticationSuccessHandler) // autowired or defined below
            .and()
        .logout()
            .logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
            .logoutSuccessHandler(myLogoutSuccessHandler)
            .permitAll()
            .and()
        .sessionManagement()
            .maximumSessions(1)
            .maxSessionsPreventsLogin(true)
            .sessionRegistry(SR);
}

@Bean
public ServletListenerRegistrationBean<HttpSessionEventPublisher> httpSessionEventPublisher() {
    return new ServletListenerRegistrationBean<HttpSessionEventPublisher>(new HttpSessionEventPublisher());
}

I was expecting sessionManagement().maximumSessions(1) to disable multiple login for the same user. It is working, but first user logout the application, so I am trying login in another browser but it showing This account is already using by someone.

Kindly request you to let me know where its going wrong.

To clarify, do you want the first session to be invalidated? — Pär Nilsson, May 24 '17 at 11:00

score 1 · Answer 1 · edited Jan 14 '23 at 22:07

1

Remove your httpSessionEventPublisher and SessionRegistry

Try this config:

@Override
protected void configure(HttpSecurity http) throws Exception {
  http
      .authorizeRequests()
          .antMatchers("/", "/forgotPwd", "/resetPwd").permitAll()
          .anyRequest().authenticated()
          .and()
      .formLogin()
         .loginPage("/login")
         .defaultSuccessUrl("/home")
         .failureUrl("/login?error")
         .permitAll()
         .and()
      .sessionManagement()
         .maximumSessions(1);
}

You can set the session timout in the application.properties

server.session.timeout= # Session timeout in seconds.

edited Jan 14 '23 at 22:07

dur

15,689
25
79
125

answered May 24 '17 at 10:45

Pär Nilsson

2,259
15
19

i solved it, i am getting null values in `sessionregistory`, now how to implement session timeout in my code? – Durga May 24 '17 at 11:29
You can set it in `aplication.properties` see my edit – Pär Nilsson May 24 '17 at 12:01
Not working i tried `server.session.timeout` and `server.session-timeout` – Durga May 24 '17 at 12:03
are you using an embedded server/container? – Pär Nilsson May 24 '17 at 12:09
embedded server, spring boot have tomcat default na? – Durga May 24 '17 at 12:18

Emil Hotkowski · Answer 2 · 2017-05-24T10:50:50.790

0

You should try to invalid user session on logout with and/or delete cookies if you have one.

.logout().deleteCookies(...).invalidateHttpSession(true)

edited May 24 '17 at 10:50

answered May 24 '17 at 10:48

Emil Hotkowski

2,233
1
13
19

What is the meaning of `deleteCookies(...)` – Durga May 24 '17 at 10:49
Check if there are any cookies which are created on login in. If there are, just remove them. First try to add 'invalidHttpSession'. – Emil Hotkowski May 24 '17 at 10:50
Just now i closed the tab without `logout`. And trying to `login` in another browser but not `logging` – Durga May 24 '17 at 11:00
@Druga https://stackoverflow.com/questions/16272137/how-to-end-sessions-automatically-if-user-closes-the-browser – Emil Hotkowski May 24 '17 at 11:11
but i am not using `.xml` files. i am using spring boot – Durga May 24 '17 at 11:16
@Druga it is the same but just put it in Application Properties https://stackoverflow.com/questions/29128277/springboot-app-session-timeout – Emil Hotkowski May 24 '17 at 11:18
Let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/145013/discussion-between-durga-and-rjiuk). – Durga May 24 '17 at 11:25

Disable multiple logins for same user in spring security + spring boot

2 Answers2