Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add Java examples to session management docs 

Closes gh-8979
This commit is contained in:
Ayush Kohli 2021-08-25 09:16:01 -05:00 committed by Eleftheria Stein
parent 4302a86fad
commit 1cfe84922c
1 changed files with 82 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

89
docs/manual/src/docs/asciidoc/_includes/servlet/authentication/session-management.adoc
View File

@ -7,24 +7,55 @@ Typical usage includes session-fixation protection attack prevention, detection
You can configure Spring Security to detect the submission of an invalid session ID and redirect the user to an appropriate URL.
This is achieved through the `session-management` element:
[source,xml]
====
.Java
[source,java,role="primary"]
----
@Override
protected void configure(HttpSecurity http) throws Exception{
http
.sessionManagement(session -> session
.invalidSessionUrl("/invalidSession.htm")
);
}
----
.XML
[source,xml,role="secondary"]
----
<http>
...
<session-management invalid-session-url="/invalidSession.htm" />
</http>
----
====
Note that if you use this mechanism to detect session timeouts, it may falsely report an error if the user logs out and then logs back in without closing the browser.
This is because the session cookie is not cleared when you invalidate the session and will be resubmitted even if the user has logged out.
You may be able to explicitly delete the JSESSIONID cookie on logging out, for example by using the following syntax in the logout handler:
[source,xml]
====
.Java
[source,java,role="primary"]
----
@Override
protected void configure(HttpSecurity http) throws Exception{
http
.logout(logout -> logout
.deleteCookies("JSESSIONID")
);
}
----
.XML
[source,xml,role="secondary"]
----
<http>
<logout delete-cookies="JSESSIONID" />
</http>
----
====
Unfortunately this can't be guaranteed to work with every servlet container, so you will need to test it in your environment
@ -45,9 +76,20 @@ Header always set Set-Cookie "JSESSIONID=;Path=/tutorial;Expires=Thu, 01 Jan 197
[[ns-concurrent-sessions]]
=== Concurrent Session Control
If you wish to place constraints on a single user's ability to log in to your application, Spring Security supports this out of the box with the following simple additions.
First you need to add the following listener to your `web.xml` file to keep Spring Security updated about session lifecycle events:
First, you need to add the following listener to your configuration to keep Spring Security updated about session lifecycle events:
[source,xml]
====
.Java
[source,java,role="primary"]
----
@Bean
public HttpSessionEventPublisher httpSessionEventPublisher() {
return new HttpSessionEventPublisher();
}
----
.XML
[source,xml,role="secondary"]
----
<listener>
<listener-class>
@ -55,10 +97,25 @@ First you need to add the following listener to your `web.xml` file to keep Spri
</listener-class>
</listener>
----
====
Then add the following lines to your application context:
[source,xml]
====
.Java
[source,java,role="primary"]
----
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.sessionManagement(session -> session
.maximumSessions(1)
);
}
----
.XML
[source,xml,role="secondary"]
----
<http>
...
@ -67,19 +124,37 @@ Then add the following lines to your application context:
</session-management>
</http>
----
====
This will prevent a user from logging in multiple times - a second login will cause the first to be invalidated.
Often you would prefer to prevent a second login, in which case you can use
[source,xml]
====
.Java
[source,java,role="primary"]
----
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.sessionManagement(session -> session
.maximumSessions(1)
.maxSessionsPreventsLogin(true)
);
}
----
.XML
[source,xml,role="secondary"]
----
<http>
...
<session-management>
<concurrency-control max-sessions="1" error-if-maximum-exceeded="true" />
</session-management>
</http>
----
====
The second login will then be rejected.
By "rejected", we mean that the user will be sent to the `authentication-failure-url` if form-based login is being used.