5

I am using spring security v 3.1.3 in my web application. The app has a single entry login form customized with custom-filter in spring security. For now, my configurations are allowing a user to automatically log in the app if he opens the URL from a different tab in same browser, which is the default behavior of spring security session management.

I want to ensure that whenever a user log into the application, the session should not get shared across different tabs. On opening a new tab, he should get login page and logging in would create a new session in the same browser. For now i could not find any way to do this with spring security framework. I wouldn't mind integrating JsessionID in URLs, but it would be better if there is another way.

ishan
  • 1,202
  • 5
  • 24
  • 44
  • 1
    May be this will be of some help to you http://www.codeproject.com/Articles/331609/Get-an-unique-session-in-each-browser-tab and this http://www.carbonrider.com/2011/01/15/tab-based-browser-session-handling/ – Sumeet Sharma Jun 24 '14 at 07:50
  • This posting looks like it might help. Seems this is something you do on the browser side, not in the server-side code. Anyway, SO link: http://stackoverflow.com/questions/368653/how-to-differ-sessions-in-browser-tabs/11783754#11783754 – CodeChimp Aug 13 '14 at 11:29

2 Answers2

0

This is not a limitation on Spring Security, this is a general limitation of how the browsers work with cookies; if you set a cookie it's going to be shared by all tabs.

Said that the only reasonable option I can think of right now would be to include the session id in the URL as you suggested.

Adrian Lopez
  • 1,776
  • 1
  • 17
  • 35
0

You can make use of HeaderWebSessionIdResolver. Spring uses CookieWebSessionIdResolver by default.

To make use of it, use a random sessionId and save it in session storage, and send it along with your headers. This will vary across tabs, and will provide you with different web sessions.

val headerName = "SomeHeaderName"

@Configuration
class SessionConfig {

    @Bean
    fun headerWebSessionIdResolver(): WebSessionIdResolver {
        return HeaderWebSessionIdResolver().apply {
            headerName = headerName
        }
    }

    @Bean
    fun webSessionManager(webSessionIdResolver: WebSessionIdResolver): DefaultWebSessionManager {
        return DefaultWebSessionManager().apply {
            sessionIdResolver = webSessionIdResolver
        }
    }
}
jakshay
  • 86
  • 5