From 0aab19ed4b0f44890fc2243d9af3303af4b321d5 Mon Sep 17 00:00:00 2001 From: Luke Taylor Date: Mon, 28 Dec 2009 14:32:54 +0000 Subject: [PATCH] Added additional info on concurrent session usage --- docs/manual/src/docbook/session-mgmt.xml | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/docs/manual/src/docbook/session-mgmt.xml b/docs/manual/src/docbook/session-mgmt.xml index 1361b3eb8e..1b13f68abf 100644 --- a/docs/manual/src/docbook/session-mgmt.xml +++ b/docs/manual/src/docbook/session-mgmt.xml @@ -62,10 +62,14 @@ Spring Security is able to prevent a principal from concurrently authenticating to the same application more than a specified number of times. Many ISVs take advantage of this to enforce licensing, whilst network administrators like this feature because it helps prevent - people from sharing login names. You can, for example, stop user "Batman" from logging onto - the web application from two different sessions. - This feature is supported by the namespace, so please check the earlier namespace chapter - for the simplest configuration. Sometimes you need to customize things though. + people from sharing login names. You can, for example, stop user Batman from + logging onto the web application from two different sessions. You can either expire their + previous login or you can report an error when they try to log in again, preventing the second + login. Note that if you are using the second approach, a user who has not explicitly logged + out (but who has just closed their browser, for example) will not be able to log in again + until their original session expires. + Concurrency control is supported by the namespace, so please check the earlier namespace + chapter for the simplest configuration. Sometimes you need to customize things though. The implementation uses a specialized version of SessionAuthenticationStrategy, called ConcurrentSessionControlStrategy. Previously the