Announcement Announcement Module
No announcement yet.
Session Help and some explanation Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Session Help and some explanation

    Hi all,

    Can someone explain session management to me a bit please (or provide me with some additional reading).

    I am currently playing with the ConcurrentSessionControlStrategy and have set the maximum sessions value to 1 and 2, but I see 0 differences between the behavior of my application.

    Using chrome, I launch a form login and login with 'admin'. I then open a second tab and login again. A second session ID is created and I can once again login with 'admin'. Now, from the second window, if I logout, I'm booted out of both windows.

    The strange thing, to me, is that the behavior is consistent whether I change that concurrency setting to 1 or 2. If I 'support' more than I session, why would the second window log me out of the first?

    Thanks for the help,


  • #2 a nutshell

    I guess, to take it one step further...

    Can Spring Security, in any shape or form, give me the ability to:

    - launch login form A in chrome (tab A)
    - launch login form B in chrome (new tab B)

    Login as user A in form A in tab A. Login as user B in form B in tab B.

    Go to tab A and hit refresh - and I'm logged in as user B. User B's login clobbers user A and takes over. Is there any way to have both tabs work as two distinct browsers? I don't believe there is, is there?

    Can anybody just confirm that there is or isn't a way to do that?



    • #3
      A tab isn't a new window a tab copies the session state and cookies... So basically you are still loggedin once... Startup chrome and firefox and try again...

      Is there any way to have both tabs work as two distinct browsers
      Well see above ... Also a new tab (CTRL+T) and a new window (CTRL+N) basically have the same behavior you really need to start a fresh browser.


      • #4
        Thank you for confirming that and explaining it nicely.

        Taking it the next step - would it be possible to disable cookies in some way for my app and pass across the sessionID on each request, thereby taking the logic to handle these different requests into the app and managing the sessions that way? I'm not really asking for a 'here's how you'd do it' answer, but wondering if anybody has explored this option in the past?


        • #5
          You could but that opens up your application to session hijacking...You can instruct your app server to disable cookies for the session id and use the request. The drawback is that each request needs to have the sessionidentifier... (and as that is in the url makes you vulnerable).


          • #6
            Very good. Thanks for the quick reply.