In a recent interview that I attended, interviewer asked me if I knew the design to configure web application with concurrent session management i.e. if user logs in to the application his previous session (if any and alive) are terminated. While my answer was quick that one can manage state details of users using Session Management and database table field to determine if user is currently logged in / not.
While the above mentioned is pretty easy to implement, things get complicated if user accidentally closes the application without logging out. Fortunately we have easy solution to implement using Spring Security’s Concurrent Session Management.
ConcurrentSessionControlAuthenticationStrategy allows a configurable maxSessions attribute and here we are setting it to 1. Below is the gist of the core Spring Security Config that one should use
<bean class=”org.springframework.security.web.authentication.session.ConcurrentSessionControlAuthenticationStrategy”> <constructor-arg ref=”sessionRegistry”/> <property name=”maximumSessions” value=”1” /> </bean>
The sample project is available on Github
Reference:
http://docs.spring.io/spring-security/site/docs/3.2.0.RC2/reference/htmlsingle/#session-mgmt
While the above mentioned is pretty easy to implement, things get complicated if user accidentally closes the application without logging out. Fortunately we have easy solution to implement using Spring Security’s Concurrent Session Management.
ConcurrentSessionControlAuthenticationStrategy allows a configurable maxSessions attribute and here we are setting it to 1. Below is the gist of the core Spring Security Config that one should use
<bean class=”org.springframework.security.web.authentication.session.ConcurrentSessionControlAuthenticationStrategy”> <constructor-arg ref=”sessionRegistry”/> <property name=”maximumSessions” value=”1” /> </bean>
The sample project is available on Github
Reference:
http://docs.spring.io/spring-security/site/docs/3.2.0.RC2/reference/htmlsingle/#session-mgmt