Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SessionAuthenticationStrategy make HttpSecurity.sessionManagement().maximumSessions(1) unavailability #7166

Closed
HomminLee opened this issue Jul 31, 2019 · 5 comments · Fixed by #7258

Comments

@HomminLee
Copy link

commented Jul 31, 2019

I am not good at English. So, please forgive my grammatical mistakes.

I have a problem while config HttpSecurity.sessionManagement().maximumSessions(1). I hope a user only have one valid session at the same time.

If I login at browser A,and then login at browser B. It's run perfect and session in browser A will invalid.

But if I login at browser A, then login at browser A(
In other words, I'm called the /login interface twice in the same browser.), then login at browser B. I found both browsers can access the restricted interfaces.


I viewed source code, found there have three SessionAuthenticationStrategy: ConcurrentSessionControlAuthenticationStrategy, ChangeSessionIdAuthenticationStrategy, RegisterSessionAuthenticationStrategy. I tried to debug with source code and the following happened:

While the second time login at browser A, ConcurrentSessionControlAuthenticationStrategy find the same sessionId, so it do noting. But ChangeSessionIdAuthenticationStrategy change sessionId into a new sessionId, and RegisterSessionAuthenticationStrategy think it's a new session and store. so there is two session in session registry.

Did I miss some configuration to resolve this problem?

My spring security version is 5.1.5.RELEASE. Think you very much!

@rwinch

This comment has been minimized.

Copy link
Member

commented Aug 5, 2019

But if I login at A browser, then login at A browser, then login at B browser. I found two session is both valid.

Can you explain by what you mean by this? How do you login A browser and login A browser again?

@HomminLee

This comment has been minimized.

Copy link
Author

commented Aug 6, 2019

Thank you for taking the time to look at my issue.I tried to complete my question.

@rwinch

This comment has been minimized.

Copy link
Member

commented Aug 6, 2019

Thank you. Can you please provide a minimal sample to reproduce the issue?

@HomminLee

This comment has been minimized.

Copy link
Author

commented Aug 7, 2019

I created a simple project to verification my problem, and get the same happening. It only included a security configuration and a rest controller. I upload my code at https://github.com/HomminLee/security-session-demo. Also, I write down the steps in README.md.

@eleftherias

This comment has been minimized.

Copy link
Contributor

commented Aug 9, 2019

Thank you for the sample and detailed explanation.
We are working on a fix for this, but in the meantime there are 2 options you can use to prevent this problem from happening.

Option 1
You can prevent any additional users from logging in when the maximum number of sessions has been reached, by using maxSessionsPreventsLogin(true).
You configuration would look like this.

http
    .sessionManagement()
        .maximumSessions(1)
            .maxSessionsPreventsLogin(true);

Option 2
You can change your session fixation strategy to newSession() or migrateSession(). This will expire the existing session when a new session is created in the same browser.
Your configuration would look like this.

http
    .sessionManagement()
        .maximumSessions(1)
            .and()
        .sessionFixation()
            .newSession();

If you are using newSession() or migrateSession(), you will also need a HttpSessionEventPublisher bean.

@Bean
public HttpSessionEventPublisher httpSessionEventPublisher() {
    return new HttpSessionEventPublisher();
}
eleftherias added a commit to eleftherias/spring-security that referenced this issue Aug 13, 2019
eleftherias added a commit to eleftherias/spring-security that referenced this issue Aug 14, 2019
eleftherias added a commit to eleftherias/spring-security that referenced this issue Aug 14, 2019

@rwinch rwinch closed this in #7258 Aug 15, 2019

rwinch added a commit that referenced this issue Aug 15, 2019
rwinch added a commit that referenced this issue Aug 15, 2019

@rwinch rwinch added this to the 5.2.0.RC1 milestone Aug 15, 2019

kostya05983 added a commit to kostya05983/spring-security that referenced this issue Aug 26, 2019
fhanik added a commit to fhanik/spring-security that referenced this issue Aug 27, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
4 participants
You can’t perform that action at this time.