Spring security max session allowed

Question

I'm using spring security 3.1.4 and i would like to limit the number of session per user to 1 but if someone tries to log in it will close the old session and open a new one (instead of not allowing to log in) how can i do this?

EDIT: this is what i added to the xmls: web.xml

<listener>
    <listener-class>
         com.net.filter.session.SessionListener
      </listener-class>
</listener>

SessionListener extends HttpSessionEventPublisher

security.xml

    <security:intercept-url pattern="/**"
        access="isAuthenticated()" />

    <security:session-management>
        <security:concurrency-control
            max-sessions="1"/>
    </security:session-management>

    <security:form-login
        authentication-success-handler-ref="playerAuthenticationSuccessHandler" />
    <security:logout logout-url="/player/logout"
        success-handler-ref="playerLogoutSuccessHandler" delete-cookies="JSESSIONID" />
</security:http>

    <bean id="bCryptPasswordEncoder"
        class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder" />



    <security:authentication-manager>
        <security:authentication-provider
            ref="authenticationProvider">
        </security:authentication-provider>
    </security:authentication-manager>

were playerAuthenticationSuccessHandler, authenticationProvider and playerLogoutSuccessHandler extends the spring defaults.

Did you read [the documentation](http://docs.spring.io/spring-security/site/docs/3.1.x/reference/springsecurity-single.html#ns-session-mgmt)? That's the default behaviour if you enable concurrency control. It doesn't actually invalidate the old session but marks it as unusable until it expires normally. — Shaun the Sheep, Jan 06 '14 at 19:30
Thanks I read it but I have some questions. i tried it and as you said it doesn't invalidate it, is there a "mark unusable" event listener? is there a way to log out the old session? — lior, Jan 07 '14 at 08:30
It doesn't retain a reference to the actual session, just the ID, so it can't invalidate it. If the same ID is reused again, it will invalidate the session. — Shaun the Sheep, Jan 07 '14 at 13:53
I tried this scenario and it doesn't work as I expected:1. first log in. 2. log in from a different browser. now going to the first browser i can still do stuff i must be logged in for. — lior, Jan 07 '14 at 14:12
Then most likely your configuration is wrong. Please start by deploying the tutorial sample app. — Shaun the Sheep, Jan 07 '14 at 15:15
As @LukeTaylor the behavior you describe is the default. If you want an exception to be thrown instead then add `error-if-maximum-exceeded="true"` to the `concurrency-control` tag. Next if you want to show a nice page to the user you can specify the `session-authentication-error-url` attribute on the `session-management` tag. — M. Deinum, Jan 08 '14 at 11:20
@M.Deinum, I tired it but nothing happens, i updated my question with the xml configuration — lior, Jan 08 '14 at 11:25
I don't see anything in your configuration with regard to the suggested attributes. — M. Deinum, Jan 08 '14 at 11:36
Found a solution!! needed to implement hashcode and equals like @LukeTaylor suggested in http://stackoverflow.com/questions/19319849/spring-security-3-1-session-concurrency-control-not-working-why — lior, Jan 08 '14 at 11:54

Spring security max session allowed

0 Answers0

Linked