Is it possible to terminate a logged in user's HttpSession?
We can do the following from within the user's session:
HttpSession s = request.getSession(false);
s.invalidate(); // make sure s != null
But how can an Admin-User 'kick-out' a given user?
I was hoping to find some API under ServletContext which would return a list of active sessions, but that doesn't appear to be the case.
I'm using Spring Security 3 & Tomcat 7.
There are basically 2 ways (leaving Spring Security outside consideration as I don't do Spring):
Collect all those sessions in some application wide Map<User, HttpSession>. Then just do
sessions.get(user).invalidate();
The HttpSessionListener and/or HttpSessionBindingListener may be helpful in cleaning the application wide Map in case of session timeouts/expiration.
Add an boolean column to the DB which is checked on every request by some filter.
if (shouldLogout(user)) {
session.invalidate();
}
Spring Security has a SessionRegistry in order to handle this kind of scenarios. You can declare it using session-registry-ref attribute in concurrency-control tag. Here you have a little documentation.
