Announcement Announcement Module
Collapse
No announcement yet.
Session getting created twice and session not getting decremented. Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Session getting created twice and session not getting decremented.

    Hi All,
    I am using Spring Security in our application. It works fine, but sometimes, spring security created two session for the same login. We are printing the number of active sessions for the user, here it prints 2, even if i am sure, user not logged in from anywhere, also, sometimes, counter(session) doesn't get decremented. Below, is my security-config.xml
    Code:
    <?xml version="1.0" encoding="UTF-8"?>
    <beans xmlns="http://www.springframework.org/schema/beans"
    	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:security="http://www.springframework.org/schema/security"
    	xsi:schemaLocation="http://www.springframework.org/schema/beans
                               http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
                               http://www.springframework.org/schema/security
                               http://www.springframework.org/schema/security/spring-security-3.0.xsd">
    
    	<security:http auto-config="true" access-denied-page="/accessDenied.jsp">
    		<!-- Restrict URLs based on role -->
    		<security:intercept-url pattern="/login.jsp"
    			access="IS_AUTHENTICATED_ANONYMOUSLY" />
    
    		<security:intercept-url pattern="/logout_page.jsp"
    			access="IS_AUTHENTICATED_ANONYMOUSLY" />
    
    		<security:intercept-url pattern="/redirect.jsp"
    			access="IS_AUTHENTICATED_ANONYMOUSLY" />
    
    		<security:intercept-url pattern="/images/*"
    			access="IS_AUTHENTICATED_ANONYMOUSLY" />
    
    		<security:intercept-url pattern="/css/*"
    			access="IS_AUTHENTICATED_ANONYMOUSLY" />
    
    		<security:intercept-url pattern="/scripts/*"
    			access="IS_AUTHENTICATED_ANONYMOUSLY" />
    
    		<security:intercept-url pattern="/dojoscripts/**"
    			access="IS_AUTHENTICATED_ANONYMOUSLY" />
    		<security:intercept-url pattern="/index*"
    			access="IS_AUTHENTICATED_ANONYMOUSLY" />
    
    
    		<security:intercept-url pattern="/**"
    			access="ROLE_ADMIN,ROLE_USER" />
    
    		<!-- Override default login and logout pages -->
    		<security:form-login login-page="/login.jsp"
    			login-processing-url="/loginProcess" default-target-url="/mainLayout.htm"
    			authentication-failure-url="/login.jsp?login_error=1"
    			always-use-default-target="true" />
    		<security:logout invalidate-session="true" logout-url="/logout"
    			logout-success-url="/logout_page.jsp" />
    		<security:session-management
    			session-authentication-strategy-ref="sas" />
    	</security:http>
    
    	<security:authentication-manager>
    		<security:authentication-provider
    			ref="ldapAuthProvider" />
    	</security:authentication-manager>
    
    	<bean id="customcontextSource"
    		class="com.ethernet.portal.security.authentication.CustomContextSource">
    		<property name="url" value="" />
    	</bean>
    
    	<bean id="ldapAuthProvider"
    		class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
    		<constructor-arg>
    			<!-- <bean class ="com.ethernet.ldap.client.MyCustomAuthenticator" /> -->
    			<bean
    				class="org.springframework.security.ldap.authentication.BindAuthenticator">
    				<constructor-arg ref="customcontextSource" />
    				<property name="userDnPatterns">
    					<list>
    						<value>uid={0},ou=People,dc=mydomain,dc=com</value>
    					</list>
    				</property>
    			</bean>
    		</constructor-arg>
    		<constructor-arg>
    			<bean
    				class="com.ethernet.portal.security.authentication.CustomAuthoritiesPopulator">
    			</bean>
    		</constructor-arg>
    	</bean>
    
    	<bean id="sas"
    		class="com.ethernet.portal.security.authentication.ConcurrentSessionControlStrategyImpl">
    		<constructor-arg name="sessionRegistry" ref="sessionRegistry" />
    		<property name="exceptionIfMaximumExceeded" value="true" />
    	</bean>
    
    	<bean id="sessionRegistry"
    		class="org.springframework.security.core.session.SessionRegistryImpl" />
    
    </beans>
    In my web.xml, I have the below listener tag
    Code:
    	<listener>
    		<listener-class>
    			org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
    	</listener>
    I am getting the number of active sessions for the user and the total number of sessions, using the below code.
    Code:
    List<Object> allUserList = sessionRegistry.getAllPrincipals();
    		//String userName = request.getUserPrincipal().getName();
    		int sessionCount = 0;
    		for(int i=0;i<allUserList.size();i++){
    			List<SessionInformation> userSessionList = sessionRegistry.getAllSessions(allUserList.get(i), false);
    			sessionCount+= userSessionList.size();
    		}
    		
    		Object userSessionObject = SecurityContextHolder.getContext().getAuthentication().getPrincipal();
    		List<SessionInformation> userSessionList = sessionRegistry.getAllSessions(userSessionObject, false);
    		sessionFacade.setAttributeToSession("userSession", userSessionList.size());
    		sessionFacade.setAttributeToSession("totalUserSession", sessionCount);
    here, sessionRegistry is autowired, can you please let me know, where we are doing wrong?

  • #2
    can anyone please help me with this?

    Comment


    • #3
      What does your web.xml look like?

      Originally posted by Prasi View Post
      but sometimes, spring security created two session for the same login
      When are you seeing this happen? Does Spring Security add two entries to the SessionRegistry for the user? Are both of the entries still not expired?

      Originally posted by Prasi View Post
      . We are printing the number of active sessions for the user, here it prints 2,
      Are either of the SessionInformation objects marked as expired?

      Originally posted by Prasi View Post
      even if i am sure, user not logged in from anywhere
      How are you certain of this?

      Originally posted by Prasi View Post
      also, sometimes, counter(session) doesn't get decremented
      When does this occur? Keep in mind closing the browser will not decrement the count. Instead the user must log out or wait until the HttpSession expires (the expiration is controlled by your servlet container).

      Comment


      • #4
        Thanks rwinch for the reply. My web.xml looks like below.
        Code:
        <?xml version="1.0" encoding="UTF-8"?>
        <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        	xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
        	xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
        	id="WebApp_ID" version="2.5">
        	<display-name>spring-dispatcher</display-name>
        	<servlet>
        		<servlet-name>spring-dispatcher</servlet-name>
        		<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
        		<load-on-startup>1</load-on-startup>
        	</servlet>
        	<servlet-mapping>
        		<servlet-name>spring-dispatcher</servlet-name>
        		<url-pattern>*.htm</url-pattern>
        	</servlet-mapping>
        	<welcome-file-list>
        		<welcome-file>redirect.jsp</welcome-file>
        	</welcome-file-list>
        
        	<filter>
        		<filter-name>springSecurityFilterChain</filter-name>
        		<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
        	</filter>
        
        	<filter-mapping>
        		<filter-name>springSecurityFilterChain</filter-name>
        		<url-pattern>/*</url-pattern>
        	</filter-mapping>
        
        	<session-config>
        		<session-timeout>30</session-timeout>
        	</session-config>
        	
        	<jsp-config>
        		<taglib>
        			<taglib-uri>/spring</taglib-uri>
        			<taglib-location>/WEB-INF/spring.tld</taglib-location>
        		</taglib>
        		<taglib>
        			<taglib-uri>/form</taglib-uri>
        			<taglib-location>/WEB-INF/tld/spring-form.tld</taglib-location>
        		</taglib>
        	</jsp-config>
        
        	<context-param>
        		<param-name>contextConfigLocation</param-name>
        		<param-value>
        			 /WEB-INF/applicationContext.xml
                    /WEB-INF/security-context.xml
                    /WEB-INF/spring-dispatcher-servlet.xml
                </param-value>
        	</context-param>
        
        	<listener>
        		<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
        	</listener>
        	
        	<listener>
        		<listener-class>
        			org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
        	</listener>
        
        
        </web-app>
        Now, i have found out that session count in SessionRegistry is working fine, i.e its getting decremented whenever user logs out, but sometimes, when user logs in, it creates 2 session, so, when i log out, only 1 session is decremented in SessionRegistry, this is the problem. I am sure, user is not logged in from anywhere, since i am testing this on my local machine. Can you please help me out in this?

        Yes, spring security adds 2 entries for the SessionRegistry for the user. Either of them are not expired. This i am sure, because, we are having maximum concurrent sessions as 3, i login once, it creates 2 sessions, i logout, 1 entry gets decremented, i login again, 2 session gets created, now, we have 3 active sessions, i.e 1(which was created during first login)+2, i logout, 1 gets decremented, so now 2 sessions are active, again i login and logout, now 3 sessions are active. If i try to login again, it tells me maximum concurrent session exceeded.
        Last edited by Prasi; Sep 5th, 2011, 11:23 PM. Reason: Added more details

        Comment


        • #5
          Can you post the debug logs from Spring Security?

          Comment


          • #6
            There isn't actually any evidence of a problem here. Can you log in multiple times?

            The session registry may contain expired sessions.

            Comment


            • #7
              Yes Luke, I am able to login multiple times, as i said earlier, if 3 sessions are allowed for a user, on logout will decrement 1 from SessionRegistry, however another 1 will be active only and will get expire after the specified time out period. However, this not happening everytime, only sometimes, i am not able to reproduce it, sometimes, i get this type of issue. Today, one more thing i noticed, In IE , I login once, user session is 1, i refresh the page, user session becomes 2. Can you please tell, why this may happen? I am sure, user has not logged from anywhere to my application..

              rwinch: there isn't anything interesting in security logs, everything looks fine. However, which part of security logs do i need to post?
              Last edited by Prasi; Sep 6th, 2011, 10:46 AM.

              Comment


              • #8
                Please post the logs of a time when you are able to reproduce the issue. Hopefully this will help someone to figure out why this issue is happening. If you are able to provide a way to reproduce the issue (providing source, configuration, steps, etc) this would be ideal.

                Comment


                • #9
                  Yes, sure i will post the logs when i reproduce this issue.. BTW, can you please tell, why it may happen? i.e session count increases when i refresh the page (only sometimes)..

                  Comment


                  • #10
                    Originally posted by Prasi View Post
                    Yes, sure i will post the logs when i reproduce this issue.. BTW, can you please tell, why it may happen? i.e session count increases when i refresh the page (only sometimes)..
                    I'm not entirely convinced this is actually happening (I'm hoping the logs will be able to prove one way or another what is going on). One reason this might occur would be that if multiple requests are attempting to authenticate from the same browser simultaneously.

                    Comment

                    Working...
                    X