Announcement Announcement Module
Collapse
No announcement yet.
login problem with max-session="1" Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • login problem with max-session="1"

    Hello,

    I'm using Spring security (with hibernate but I doubt it's any important here).
    I'm using this code to forbidde multiple connections by one user
    Code:
    <concurrent-session-control max-sessions="1" exception-if-maximum-exceeded="true"/>
    It works well. When user 1 is connected, he can't log in anymore, user 2 can log in with no problem.
    If user 1 disconnect using the disconnect button, he s disconnected and can log in again.

    However, if user 1 close his internet browser while he s connected, he need to log in again to access pages, but it has the following message :
    Code:
    Maximum sessions of 1 for this principal exceeded
    He s stuck outside of the application..

    How can I resolve it ?

  • #2
    It all depends on your requirements. The easiest option I see would be to have the second user logout the first user. This option is explained in the reference.

    Comment


    • #3
      Hello,

      Thanks for your answer.
      That's what I tought, but isn't there any solution to fix it and keep the exception-if-maximum-exceeded="true" ?

      I'm a little bit surprised that nobody talk about this problem. You don't expect every user to disconnect from his session properly, do you ?
      As soon as he doesn't, it's quite a blocking problem :/

      Comment


      • #4
        javascript might do the trick :

        Code:
        window.onbeforeunload = function() {
           // This template uses no error checking, it's just concept code to be
           // expanded on.
                 
           // Create a new XMLHttpRequest object
           var AJAX=new XMLHttpRequest();  
                 
           // Handle ready state changes ( ignore them until readyState = 4 )
           AJAX.onreadystatechange= function() { if (AJAX.readyState!=4) return false; }
                 
           // we're passing false so this is a syncronous request.
           // The script will stall until the document has been loaded.
           // the open statement depends on a global variable titled _userID.
           AJAX.open("GET", 'http://someurl.com/endsession.php?id='+_userID, false);
           AJAX.send(null);
        }

        Comment


        • #5
          There really isn't much you can do about it. If the browser is closed the server is not notified and so the server cannot know that the user was "logged off". Another option you have is to shorten the length of the session (this is web container specific so consult your application server documentation for details on this). You could also provide some JavaScript hooks that could catch some scenarios, but realistically you are not guaranteed to know what the user is doing on the browser side.

          PS Technically the user is still logged in when they close their browser. The reason they appear to be logged out is that the JSESSIONID cookie is deleted. If someone still had a reference to the JSESSIONID and provided that in the request, they would still be logged in.

          Comment


          • #6
            seems to work
            Code:
            <script>
            window.onbeforeunload = function() {
            	
            	   var logoff=new XMLHttpRequest();
            	   logoff.open("GET", '/logoff.jsp', true);
            	   logoff.send();
            	   
            	}
            </script>

            Comment


            • #7
              Originally posted by rwinch View Post
              If someone still had a reference to the JSESSIONID and provided that in the request, they would still be logged in.
              Good remark, that's indeed a solution. Either log him in or kill his session.


              Originally posted by wims.tijd
              seems to work

              Code:
              <script>
              window.onbeforeunload = function() {

              var logoff=new XMLHttpRequest();
              logoff.open("GET", '/logoff.jsp', true);
              logoff.send();

              }
              </script>
              Do you just put it in between your <head> </head> tags ?
              It doesn't work for me

              Comment


              • #8
                you are right : user cannot logon after logout :

                config :

                Code:
                <security:http auto-config="true" pattern="/**" >
                		<security:intercept-url pattern="/*" access="ROLE_USER,ROLE_ADMIN"/>
                		<security:logout logout-url="/logout" />
                		<security:anonymous enabled="false"/>
                <security:session-management >
                			<security:concurrency-control max-sessions="1" error-if-maximum-exceeded="true" session-registry-alias="session-registry"/>
                		</security:session-management>
                	</security:http>
                
                <bean class="org.springframework.security.authentication.event.LoggerListener"/>
                	<bean class="org.springframework.security.access.event.LoggerListener"/>
                jsp :

                Code:
                <html><head></head>
                <script>
                window.onbeforeunload = function() {
                	
                	   var logoff=new XMLHttpRequest();
                	   logoff.open("GET", '/logout', false);
                	   logoff.send();
                	   
                	}
                </script>
                <frameset>
                	<frame src="contens.jsp"/>
                </frameset>
                </html>
                log :

                Code:
                LoggerListener - Security interception failed due to: org.springframework.security.authentication.AuthenticationCredentialsNotFoundException: An Authentication object was not found in
                LoggerListener - Authentication event AuthenticationSuccessEvent: willem; details: org.springframework.security.web.authentication.WebAuthenticationDetails@0: RemoteIpAddress: 127.0.0
                LoggerListener - Authentication event InteractiveAuthenticationSuccessEvent: willem; details: org.springframework.security.web.authentication.WebAuthenticationDetails@0: RemoteIpAddre
                LoggerListener - Security authorized for authenticated principal: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@91a8c618: Principal: org.springframew
                LoggerListener - Security authorized for authenticated principal: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@91a8c618: Principal: org.springframew
                LoggerListener - Security interception failed due to: org.springframework.security.authentication.AuthenticationCredentialsNotFoundException: An Authentication object was not found in
                LoggerListener - Security interception failed due to: org.springframework.security.authentication.AuthenticationCredentialsNotFoundException: An Authentication object was not found in

                so after closing the window or tab '/logout' is called and redirected to '/' (default) hence the 'Security interception failed'

                switched to debugging :

                Code:
                 SecurityContextLogoutHandler - Invalidating session: ts9n9ly76nd8
                so the logout is called but : still 2nd logon :

                Code:
                Reason: Maximum sessions of 1 for this principal exceeded

                Comment

                Working...
                X