Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Spring Security Max Session Limit Not Working With Spring Session Redis

See original GitHub issue

I am using Spring Boot 2.0.6.RELEASE with Auto Configuration for Spring Security And Spring Session. I am using following spring setting for max session limit:

.sessionManagement()
     .maximumSessions(2)
     .maxSessionsPreventsLogin(true)
     .sessionRegistry(sessionRegistry)

@Bean
public HttpSessionEventPublisher httpSessionEventPublisher() {
    return new HttpSessionEventPublisher();
}

@Autowired
private final  RedisOperationsSessionRepository sessionRepository;

@Bean
public SpringSessionBackedSessionRegistry sessionRegistry() {
    return new SpringSessionBackedSessionRegistry<>(this.sessionRepository);
}

Enabled key space notification in Redis with:
//config set notify-keyspace-events KEA
//config get notify-keyspace-events

After I am getting HttpSessionEvent fired for Session Created and Destroyed event.

But maximun session allowed limit is not working. With Above configuartion if I try to login three times in a row, It should reject third login… But it allows to login 3, 4, 5 , 6 etc times also. Am I missing something here or is it some restriction with Spring Session Redis?

Issue Analytics

  • State:closed
  • Created 5 years ago
  • Comments:5 (2 by maintainers)

github_iconTop GitHub Comments

3reactions
rwinchcommented, Oct 23, 2018

The problem is that you are using a custom Authentication Filter which means you need to manually configure it to be aware of concurrency control (i.e. inject the ConcurrentSessionControlAuthenticationStrategy into the custom RestUsernamePasswordAuthenticationFilter). I sent a PR that fixes it https://github.com/ankurpathak/spring-session-cocurrency/pull/1

2reactions
ankurpathakcommented, Oct 24, 2018

@rwinch Now its works like a champ!!

Read more comments on GitHub >

github_iconTop Results From Across the Web

Limit sessions in spring boot with redis - java - Stack Overflow
My application authenticates user for the first time with username & password and sends back an unique token. For further transactions, user ...
Read more >
Handling Spring Session with Redis
A quick guide to the Spring Session with Redis. Learn how to use the Redis server to store the session information through spring...
Read more >
Control the Session with Spring Security - Baeldung
Configure Sessions with Spring Security - set up Concurrent Sessions, enable Session Fixation Protection and prevent URLs from containing ...
Read more >
Documentation - Spring Session
This section describes how to use Redis to back HttpSession by using Java based configuration. The HttpSession Sample provides a working sample ...
Read more >
Scaling Secure Applications with Spring Session and Redis
This screencast shows you how to configure a Spring Boot application to store sessions in Redis with Spring Session. The session will be ......
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

When Spring Session combined with Spring Security is used, timeout cannot be detected.

Next page

NotSerializableException: DefaultListableBeanFactory has no serialization id