There is an adminUser A who can make the session of another rest-api user B expired.
Collection<SessionInformation> usersSessions = sessionRegistry.getAllSessions(user, true);
usersSessions.forEach((temp) -> {
temp.expireNow();
});
Now, when the user B tries to make any rest request for the first time, it gets following 200 response without any content-type
This session has been expired (possibly due to multiple concurrent logins being attempted as the same user).
I wanted to send the user a proper response something like INVALID_SESSION with a proper HttpStatus, so I tried to intercept the servlet with a custom org.springframework.web.servlet.HandlerInterceptor (which works in other scenarios), and I observed that even the preHandle method was not being called.
It seems that the response is being sent during the session verification process. I have no idea how does this actually work. Is there a way to get custom response? Can javax.servlet.http.HttpSessionListener be useful?
