We have a spring security application with a standard default setting. Currently, we allow only 1 session per participant, rejecting additional logins by the same director until the first session is completed or expires (maximumSessions = 1, excpeptionIfMaximumExceeded = true).
I would like to change this so that when the main log is logged a second time with the current active entry into another session, the first session is canceled / replaced. This is easy to accomplish with the spring-provided concurrent security session control strategy, but I am having trouble figuring out how to alert the user. When a user session is replaced, the session is invalid by the logout handler. The next request will be redirected to the login page with an error code in the query string. However, if the request that receives this redirect is an image or other non-program call, I cannot handle this.
It seems I need to put the user in an inbetween state where they have a session, but it has expired and they need to log in if they do not mean replacing their original session. However, I do not see a good way to do this.
Is there an example of such a setting somewhere?
source
share