1

I have a customized RegisterSessionAuthenticationStrategy and Im using CompositeSessionAuthenticationStrategy with exceptionIfMaximumExceeded = false.

I have the following scenario:

  • login on browser #1
  • login on browser #2

I want that the first session will be destroyed but they both stay active. whan I reach the SessionRegistry.registerNewSession session #1 is set has expired but I never get a SessionDestroyedEvent for it.

security.xml

<security:session-management
            session-authentication-strategy-ref="sas" />

    </security:http>


    <bean id="sas"
        class="org.springframework.security.web.authentication.session.CompositeSessionAuthenticationStrategy">
        <constructor-arg>
            <list>
                <bean
                    class="org.springframework.security.web.authentication.session.ConcurrentSessionControlAuthenticationStrategy">
                    <constructor-arg ref="clusteredSessionRegistryImpl" />
                    <property name="maximumSessions" value="1" />
                    <property name="exceptionIfMaximumExceeded" value="false" />
                </bean>
                <bean
                    class="org.springframework.security.web.authentication.session.RegisterSessionAuthenticationStrategy">
                    <constructor-arg ref="clusteredSessionRegistryImpl" />
                </bean>
            </list>
        </constructor-arg>
    </bean>
Michael
  • 3,308
  • 5
  • 24
  • 36
lior
  • 1,127
  • 3
  • 24
  • 43
  • And you won't... As there is no way to invalidate the `HttpSession` from another `HttpSession`. Only the `invalid` flag in the `SessionRegistry` will be toggled. – M. Deinum Apr 02 '15 at 09:47
  • @M.Deinum Thanks for the answer, so now I have 2 active sessions? Is there a way to destroy the older one? It seems I'm still loged in in the old one – lior Apr 02 '15 at 10:30

0 Answers0