Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Property expiredUrl of SessionManagement is not handled correctly #4165

Open
MassimoScattarella opened this issue Dec 21, 2016 · 3 comments
Open

Property expiredUrl of SessionManagement is not handled correctly #4165

MassimoScattarella opened this issue Dec 21, 2016 · 3 comments
Labels
status: waiting-for-triage An issue we've not yet triaged

Comments

@MassimoScattarella
Copy link

Spring Boot Security

Property expiredUrl of SessionManagement is not handled correctly

Actual Behavior

This situation is verified by having the limit of max 1 sessions for user in security config. Then signing in with the first user (A) and then logging in with the second user (B), the first one (A) is being invalidated on the server side correctly. When the first user (A) refreshes the page, instead of too many sessions per user error message, Spring security returns Invalid Session error code.

Detailed procedure is described below:

For cocurrent session, in this case expiredUrl not work, this is my use case:

  1. Open the first tab/browser and sign in
  2. Open the second tab/browser and sign in
  3. Go to the first tab/browser and refresh the page(F5) and redirect to invalidSessionUrl. KO

On step #3 spring will return invalidSessionUrl error message instead of too many sessions per user.

In order to avoid the session being shared, I reccomend to use two different browsers or a browser in incognito mode.

Note: The third step must be performed before the session timeout otherwise the session will be invalidated by timeout instead of concurrent session.
For testing, in demo project the session expiration is configured to 20 seconds.

Expected Behavior

  1. Open first browser = go to login page, insert credential and go home page.
  2. Open second browser = go to login page, insert credential and go home page.
  3. Go to first browser and press refresh page(F5) and redirect to expiredUrl. (Redirect to invalidSessionUrl only if session expired)

Configuration

.sessionManagement()
	.sessionFixation().migrateSession()
	.invalidSessionUrl(LOGIN_INVALID_SESSION_URL)
	.maximumSessions(1)
	.maxSessionsPreventsLogin(false)
	.expiredUrl(LOGIN_EXPIRED_URL)

WorkAround

Add custom filter customConcurrentSessionFilter before ConcurrentSessionFilter.

http.addFilterBefore(customConcurrentSessionFilter(), ConcurrentSessionFilter.class)

Remove expiredUrl from default configuration because it is already declared into the custom filter

.sessionManagement()
    .sessionFixation().migrateSession()
    .invalidSessionUrl(LOGIN_INVALID_SESSION_URL)
    .maximumSessions(1)
    .maxSessionsPreventsLogin(false)
    //.expiredUrl(LOGIN_EXPIRED_URL)  <-- Note on commented instruction

Custom filter is almost identical to the ConcurrentSessionFilter, except in doFilter(...) before sending the redirect, creating new empty session.
By doing this, when the SessionManagementFilter is invoked, it does not handle InvalidSession error.

Version

Spring boot 1.4.2.RELEASE

Sample

https://github.com/MassimoScattarella/FixConcurrentSessionForSpringBootSecurity
@syakuis
Copy link

syakuis commented May 23, 2017

ConcurrentSessionFilter expriedUrl Deprecated!!

public class SessionExpiredHandler implements SessionInformationExpiredStrategy {
	private final String expiredUrl;

	public SessionExpiredHandler(String expiredUrl) {
		this.expiredUrl = expiredUrl;
	}

	@Override
	public void onExpiredSessionDetected(SessionInformationExpiredEvent sessionInformationExpiredEvent) throws IOException, ServletException {
		HttpServletRequest request = sessionInformationExpiredEvent.getRequest();
		HttpServletResponse response = sessionInformationExpiredEvent.getResponse();
		response.sendRedirect(request.getContextPath() + expiredUrl);
	}
}
<beans:bean id="concurrentSessionFilter" class="org.springframework.security.web.session.ConcurrentSessionFilter">
		<beans:constructor-arg name="sessionRegistry" ref="sessionRegistry" />
		<beans:constructor-arg name="sessionInformationExpiredStrategy" ref="sessionExpiredHandler" />
</beans:bean>

@lorenzo-catalano
Copy link

hi @syakuis ,
i tried @MassimoScattarella 's code in https://github.com/MassimoScattarella/FixConcurrentSessionForSpringBootSecurity
and i found that in spring boot 1.4.2 that he's using, ConcurrentSessionFilter expriedUrl is not deprecated.
Trying your code with spring boot 1.5.3 still gives a redirect to invalidSessionUrl AFTER the redirect to expiredUrl.
I tried creating a new session like this

    @Override
    public void onExpiredSessionDetected(SessionInformationExpiredEvent sessionInformationExpiredEvent) throws IOException, ServletException {
        HttpServletRequest request = sessionInformationExpiredEvent.getRequest();
        HttpServletResponse response = sessionInformationExpiredEvent.getResponse();
        request.getSession();//creates a new session
        response.sendRedirect(request.getContextPath() + expiredUrl);
    }

and it works correctly without the second redirect to invalidSessionUrl.
is this the correct way?

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label May 7, 2019
@hi-rullah
Copy link

May I follow up latest status please for this issue?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
status: waiting-for-triage An issue we've not yet triaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@lorenzo-catalano @syakuis @hi-rullah @spring-projects-issues @MassimoScattarella