Skip to content

Authenticating using same session does not clean up SessionRegistry #3704

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
rwinch opened this issue Feb 18, 2016 · 0 comments
Open

Authenticating using same session does not clean up SessionRegistry #3704

rwinch opened this issue Feb 18, 2016 · 0 comments
Labels
in: web An issue in web modules (web, webmvc) type: bug A general bug

Comments

@rwinch
Copy link
Member

rwinch commented Feb 18, 2016

Using the following configuration:

http
    .sessionManagement()
         .sessionFixation().changeSessionId()
         .maximumSessions(1)
         .maxSessionsPreventsLogin(true)

A user performs the following steps:

  • Open three tabs to a log in page
  • Authenticate in the first tab
  • Authenticate in the second tab
  • Authenticate in the third tab

The user is not allowed to authenticate. This happens for two reasons:

  • The second authentication is allowed only because we check to see if the current session is the same as one of the existing sessions in ConcurrentSessionControlAuthenticationStrategy this is why the error doesn't happen till the third authentication attempt
  • Currently authenticated users are not removed from the SessionRegistry

Users can work around this using the following:

http
    .sessionManagement()
         .withObjectPostProcessor(new AdditionalStrategyPostProcessor(new CleanRegistry(sessionRegistry)))
         .sessionFixation().changeSessionId()
         .maximumSessions(1)
         .maxSessionsPreventsLogin(true)
public class AdditionalStrategyPostProcessor 
       implements ObjectPostProcessor<CompositeSessionAuthenticationStrategy> {
    private final SessionAuthenticationStrategy delegate;

    public AdditionalStrategyPostProcessor(SessionAuthenticationStrategy delegate) {
        super();
        this.delegate = delegate;
    }
    public <O extends CompositeSessionAuthenticationStrategy> O postProcess(O object) {
        return (O) new CompositeSessionAuthenticationStrategy(Arrays.asList(delegate, object));
    }
}

public class CleanRegistry implements SessionAuthenticationStrategy {
    private SessionRegistry sessionRegistry;
    public CleanRegistry(SessionRegistry sessionRegistry) {
        super();
        this.sessionRegistry = sessionRegistry;
    }
    @Override
    public void onAuthentication(Authentication authentication, HttpServletRequest request,
            HttpServletResponse response) throws SessionAuthenticationException {
        HttpSession session = request.getSession(false);
        if(session == null) {
            return;
        }
        sessionRegistry.removeSessionInformation(session.getId());
    }
}
@rwinch rwinch added in: web An issue in web modules (web, webmvc) type: bug A general bug labels Feb 18, 2016
@rwinch rwinch added this to the 4.1.0 M1 milestone Feb 18, 2016
@rwinch rwinch modified the milestones: 4.1.0 RC1, 4.0 Backlog Mar 22, 2016
@rwinch rwinch modified the milestone: 4.0 Backlog Aug 15, 2016
@ghost ghost mentioned this issue Sep 8, 2021
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
in: web An issue in web modules (web, webmvc) type: bug A general bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@rwinch