concurrent session management not working while setting sessionManagement().maximumSessions(1) allowing 2 sessions per user

Question

I want a user to login only once and i am using the below mentioned code . It is working but allowing same user to login twice(creating 2 different sessions) and then in 3rd login attempt it is giving error message.##

@Override
public void configure(HttpSecurity http) throws Exception {
    
    
    http
    .authorizeRequests()  
    .anyRequest().authenticated()  
    .and()  
    .formLogin()  
    .and()  
    .httpBasic()
    .and()
    .sessionManagement()
    .maximumSessions(1)
    .maxSessionsPreventsLogin(true)
    .sessionRegistry(sessionRegistry())         ;
}

private SessionRegistry sessionRegistry() {
     SessionRegistry sessionRegistry = new SessionRegistryImpl();
     return sessionRegistry;
}

@Bean
public HttpSessionEventPublisher httpSessionEventPublisher() {
    return new HttpSessionEventPublisher();
}

@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
    auth.inMemoryAuthentication()
        .withUser("u")
        .password("{noop}p") // Spring Security 5 requires specifying the password storage format
        .roles("USER");
}

**How** are you testing this? Using a single browser you cannot test this as the session will be shared, you will need a browser and either an incognito window or really 2 seperate different browsers or machines!. — M. Deinum, Jun 25 '20 at 08:42
@M.Deinum i am testing this in chrome because i have to do it in a way in which user is not allowed to login again in same or different browser while he is already logged in . — Prashant Kumar, Jun 25 '20 at 08:51
That won't work. As soon as you open a new tab or window, the session information is going to be copied, so it isn't really a new session but still the existing one. It will only work if you test this with a separate browser (Firefox, Brave etc.) next to your current one OR if you open an incognito window (as that won't copy the session information). — M. Deinum, Jun 25 '20 at 08:53
@M.Deinum Thanks ,it is working the same way as you said . I used it in different browsers . Can you help me how to do this in one browser . In the current code I am setting maxSession per user to 1 but it is allowing it to login 2 times (i don't know how) and in 3rd login user is getting error msg. — Prashant Kumar, Jun 25 '20 at 09:02
I already explained how. use an incognito (privacy) window instead of a regular one. You cannot do this opening a regular tab or window as that will copy the cookies, local storage etc. and thus you are basically still logged in. — M. Deinum, Jun 25 '20 at 09:21
@M.Deinum I printed the session id while login and it is creating different session id when i am login for 2nd time on same browser and first login session id is still active . If new session id is created in 2nd login then why spring is allowing me to login and giving error message at 3rd login attempt. — Prashant Kumar, Jun 25 '20 at 12:56
@KavithakaranKanapathippillai Thanks for your reply. So limiting one user one session is not achieved this way . Can you help me any other way to achieve this functionality in the same browser? — Prashant Kumar, Jun 25 '20 at 15:29

concurrent session management not working while setting sessionManagement().maximumSessions(1) allowing 2 sessions per user

0 Answers0