Announcement Announcement Module
Collapse
No announcement yet.
Spring Security Session Management Anomaly Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Spring Security Session Management Anomaly

    Hi,
    Iam using Spring Security 3.0.3 with X509 cersts to sure my flex application. My requirement is to have one and only one session per user. So the snippet from my applicationContext-security.xml is :

    ...
    <session-management>
    <concurrency-control max-sessions="1"
    error-if-maximum-exceeded="false"/>
    </session-management>
    </session-management>
    ...

    The test brower is FireFox 10.
    What we have noticed very, very infrequently is that if one user A logs into the app with identity A and another user B logs in with identity B, if user A then logs out and user A logs back in he now has the identity of user B!
    How can this possibly happen with Spring Security?

    Thanks

  • #2
    I'm not sure what this has to do with session management. A few questions:
    • What does the rest of your security configuration look like?
    • What does your web.xml look like?
    • Are the two users using different machines, different browsers, the same browser?
    • Have you tried to update (at minimum to 3.0.8.RELEASE which should be entirely passive)?
    • Do you know the HTTP Session values of the two users?
    • Which application server/version are you using (it is what validates and provides the certificate)?


    PS: Please use code tags to make reading the configuration easier.

    Comment

    Working...
    X