All geek questions in one place

Spring Security does not kill a session when closing a browser

I am using Spring Security 3.1 and using

<concurrency-control max-sessions="1" error-if-maximum-exceeded="true" />
  • I open a browser and log in (IE9 example)
  • I close this browser
  • I open another browser (Firefox example)
  • I cannot log in because I am still registered in another browser.

Is there a way to force a session to close when the browser closes? I need to keep max sessions to 1 to control concurrency.

Thanks!

+6
source share
2 answers

I would add my own custom filter immediately before "CONCURRENT_SESSION_FILTER" and check in the request URI a string like "force -logout.do" (or something similar).

Then, in the generated HTML, I would handle the JavaScript event as follows:

 <script type="text/javascript"> function force_logout() { // AJAX request to server notifying that the browser has been closed. } </script> <body onbeforeunload="force_logout();"> </body>

This will work for IE and Firefox (you should also check other browsers). Your filter just needs to check the URI and execute session.invalidate() if it matches the "URI of failure" and immediately return, or simply bypass the request to the filter chain otherwise.

NOTE. I am not adding AJAX code since I do not know if you are using a specific AJAX structure. With prototype.js, that would be pretty simple.

+3
source

I had a similar problem e.g.

  • If you are logged in with some user, say zzzz
  • You have closed the browser
  • Again tries to log in with the same user zzzz
  • Failed to log in with message to max out session

The code I have in my spring security file is:

 <session-management invalid-session-url="/?timeout=true"> <concurrency-control max-sessions="1" expired-url="/logout?timeout" />

I solved this problem by adding a session timeout entry to the web.xml file. I set the session timeout value to 5 minutes, built the application and deployed it. It works great.

Perhaps this will help someone.

Thanks Atul

0
source

Source: https://habr.com/ru/post/907394/

More articles:


All Articles