Skip to content

Property expiredUrl of SessionManagement is not handled correctly #4165

New issue
New issue
Open
Open
Property expiredUrl of SessionManagement is not handled correctly#4165
Labels
status: waiting-for-triageAn issue we've not yet triaged
@MassimoScattarella

Description

@MassimoScattarella
MassimoScattarella
opened on Dec 21, 2016

Spring Boot Security

Property expiredUrl of SessionManagement is not handled correctly

Actual Behavior

This situation is verified by having the limit of max 1 sessions for user in security config. Then signing in with the first user (A) and then logging in with the second user (B), the first one (A) is being invalidated on the server side correctly. When the first user (A) refreshes the page, instead of too many sessions per user error message, Spring security returns Invalid Session error code.

Detailed procedure is described below:

For cocurrent session, in this case expiredUrl not work, this is my use case:

  1. Open the first tab/browser and sign in
  2. Open the second tab/browser and sign in
  3. Go to the first tab/browser and refresh the page(F5) and redirect to invalidSessionUrl. KO

On step #3 spring will return invalidSessionUrl error message instead of too many sessions per user.

In order to avoid the session being shared, I reccomend to use two different browsers or a browser in incognito mode.

Note: The third step must be performed before the session timeout otherwise the session will be invalidated by timeout instead of concurrent session.
For testing, in demo project the session expiration is configured to 20 seconds.

Expected Behavior

  1. Open first browser = go to login page, insert credential and go home page.
  2. Open second browser = go to login page, insert credential and go home page.
  3. Go to first browser and press refresh page(F5) and redirect to expiredUrl. (Redirect to invalidSessionUrl only if session expired)

Configuration

.sessionManagement()
	.sessionFixation().migrateSession()
	.invalidSessionUrl(LOGIN_INVALID_SESSION_URL)
	.maximumSessions(1)
	.maxSessionsPreventsLogin(false)
	.expiredUrl(LOGIN_EXPIRED_URL)

WorkAround

Add custom filter customConcurrentSessionFilter before ConcurrentSessionFilter.

http.addFilterBefore(customConcurrentSessionFilter(), ConcurrentSessionFilter.class)

Remove expiredUrl from default configuration because it is already declared into the custom filter

.sessionManagement()
    .sessionFixation().migrateSession()
    .invalidSessionUrl(LOGIN_INVALID_SESSION_URL)
    .maximumSessions(1)
    .maxSessionsPreventsLogin(false)
    //.expiredUrl(LOGIN_EXPIRED_URL)  <-- Note on commented instruction

Custom filter is almost identical to the ConcurrentSessionFilter, except in doFilter(...) before sending the redirect, creating new empty session.
By doing this, when the SessionManagementFilter is invoked, it does not handle InvalidSession error.

Version

Spring boot 1.4.2.RELEASE

Sample

https://github.com/MassimoScattarella/FixConcurrentSessionForSpringBootSecurity

Metadata

Metadata

Assignees

No one assigned

    Labels

    status: waiting-for-triageAn issue we've not yet triaged

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions