Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

SEC-1850: ConcurrentSessionFilter should be by default injected with the same logout handlers as LogoutFilter when using namespace config #2087

spring-issuemaster opened this Issue Nov 1, 2011 · 2 comments


None yet
2 participants

Abdulaziz (Migrated from SEC-1850) said:

I have an app configured to prevent concurrent sessions:
<sec:session-management session-fixation-protection="migrateSession">
<sec:concurrency-control max-sessions="1" expired-url="/sessionExpired.do" session-registry-ref="sessionRegistry"/>
Also we are using remember me functionality:
<sec:remember-me key="someKey" services-ref="rememberMeServices" />

now with this config the logout filter is injected with both SecurityContextLogoutHandler and our TokenBasedRememberMeServices bean which implements LogoutHandler.This is the expected config and it correctly executes both handlers (where in this case, remember me cookie will be canceled by TokenBasedRememberMeServices) ..

However, if the user exceeds his max sessions and the ConcurrentSessionFilter logouts the user, it uses the default SecurityContextLogoutHandler which is declared inside:
private LogoutHandler[] handlers = new LogoutHandler[] {new SecurityContextLogoutHandler()};

I think ConcurrentSessionFilter should be injected with the same logout handlers as LogoutFilter so the user will be properly logged out (i.e clearing remeber me cookie for example)...

Abdulaziz said:

Actually a similar issue (SEC-299) was fixed a long time ago, and it provided a setter to inject a list of logout handlers. However, when using namespace config, this behavior is not used and only the default SecurityContextLogoutHandler is used...

Rob Winch said:

This is now fixed in master

@spring-issuemaster spring-issuemaster added this to the 3.1.2 milestone Feb 5, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment