Disable multiple logins for same user in spring security + spring boot

Question

I have the below spring configuration :-

static SessionRegistry SR;
@Override
protected void configure(HttpSecurity http) throws Exception {
    http
    .authorizeRequests()
    .antMatchers("/", "/forgotPwd", "/resetPwd").permitAll()
    .anyRequest().authenticated().and().formLogin().loginPage("/login")
    .defaultSuccessUrl("/home").failureUrl("/login?error").permitAll()
    .successHandler(authenticationSuccessHandler) // autowired or defined below
    .and().logout()
    .logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
    .logoutSuccessHandler(myLogoutSuccessHandler)
    .permitAll()
    .and().sessionManagement()
    .maximumSessions(1)
    .maxSessionsPreventsLogin(true)
    .sessionRegistry(SR);
    }
    @Bean
    public ServletListenerRegistrationBean<HttpSessionEventPublisher> httpSessionEventPublisher() {
    return new ServletListenerRegistrationBean<HttpSessionEventPublisher>(new HttpSessionEventPublisher());
  }

I was expecting sessionManagement().maximumSessions(1) to disable multiple login for the same user. It is working, but first user logout the application, so i am trying login in another browser but it showing This account is already using by someone.

Kindly request you to let me know where its going wrong.

Maybe I misunderstood what you are trying to achieve, I thought you wanted to block the second login? if you want to invalidate the first logged in session simply remove `maxSessionsPreventsLogin(true)`from your config — Pär Nilsson, May 24 '17 at 10:54
@Pär Nilsson: Okay but without `logout` i closed tab,so i am trying to login in another browser but not possible to `login` — Durga, May 24 '17 at 10:57
To clarify, do you want the first session to be invalidated? — Pär Nilsson, May 24 '17 at 11:00

Pär Nilsson · Answer 1 · 2017-05-24T12:00:40.337

1

Remove your httpSessionEventPublisher and SessionRegistry

Try this config:

@Override
protected void configure(HttpSecurity http) throws Exception {
  http.authorizeRequests()
    .antMatchers("/", "/forgotPwd", "/resetPwd").permitAll()
    .anyRequest().authenticated()
    .and()
      .formLogin().loginPage("/login").defaultSuccessUrl("/home").failureUrl("/login?error").permitAll()
    .and()
      .sessionManagement()
      .maximumSessions(1);
}

You can set the session timout in the application.properties

server.session.timeout= # Session timeout in seconds.

edited May 24 '17 at 12:00

answered May 24 '17 at 10:45

Pär Nilsson

2,121
14
19

Not working, you are able login multiple browser with same user – Durga May 24 '17 at 11:10
and when you logged in with the second browser can you still access protected resources? – Pär Nilsson May 24 '17 at 11:13
i solved it, i am getting null values in `sessionregistory`, now how to implement session timeout in my code? – Durga May 24 '17 at 11:29
You can set it in `aplication.properties` see my edit – Pär Nilsson May 24 '17 at 12:01
Not working i tried `server.session.timeout` and `server.session-timeout` – Durga May 24 '17 at 12:03
are you using an embedded server/container? – Pär Nilsson May 24 '17 at 12:09
embedded server, spring boot have tomcat default na? – Durga May 24 '17 at 12:18

Emil Hotkowski · Answer 2 · 2017-05-24T10:50:50.790

0

You should try to invalid user session on logout with and/or delete cookies if you have one.

.logout().deleteCookies(...).invalidateHttpSession(true)

edited May 24 '17 at 10:50

answered May 24 '17 at 10:48

Emil Hotkowski

2,045
1
12
19

What is the meaning of `deleteCookies(...)` – Durga May 24 '17 at 10:49
Check if there are any cookies which are created on login in. If there are, just remove them. First try to add 'invalidHttpSession'. – Emil Hotkowski May 24 '17 at 10:50
Just now i closed the tab without `logout`. And trying to `login` in another browser but not `logging` – Durga May 24 '17 at 11:00
@Druga https://stackoverflow.com/questions/16272137/how-to-end-sessions-automatically-if-user-closes-the-browser – Emil Hotkowski May 24 '17 at 11:11
but i am not using `.xml` files. i am using spring boot – Durga May 24 '17 at 11:16
@Druga it is the same but just put it in Application Properties https://stackoverflow.com/questions/29128277/springboot-app-session-timeout – Emil Hotkowski May 24 '17 at 11:18
Let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/145013/discussion-between-durga-and-rjiuk). – Durga May 24 '17 at 11:25

Disable multiple logins for same user in spring security + spring boot

2 Answers2