Invalidate session programatically

[mrshawn191]

Hi in my project I have to support both redis and inmemory session repository.

The problem is whenever a user object is mutated in database, we invalidate session and replace with the new updated one, this logic seems to cause problem.

    @Transactional
    public void enableOrDisable(User user) {
        Assert.notNull(user, "Cannot enable or disable on a non existing user");
        userDao.enableOrDisable(user);
        invalidate(user.getUsername());
    }


    @SuppressWarnings("unchecked")
    private void invalidate(String username) {
        final ExpiringSession session = onUserRetrieval(username);
        User user = userDao.findByUsername(username);
        if (null != session && null != user) {
            user.eraseCredentials();
            log.info("<invalidate(): Found existing session trying invalidate {} with {}", toJson(session), toJson(session.getAttribute(HttpSessionSecurityContextRepository.SPRING_SECURITY_CONTEXT_KEY)));
            final SecurityContext context = SecurityContextHolder.createEmptyContext();
            context.setAuthentication(new UsernamePasswordAuthenticationToken(user, null, user.getAuthorities()));
            session.setAttribute(HttpSessionSecurityContextRepository.SPRING_SECURITY_CONTEXT_KEY, context);
            log.info("<invalidate(): Replaced old session with {} and {}", toJson(session), toJson(session.getAttribute(HttpSessionSecurityContextRepository.SPRING_SECURITY_CONTEXT_KEY)));
            sessionRepository.save(session);
            SecurityContextHolder.setContext(context);
        }
    }

    @SuppressWarnings("unchecked")
    private ExpiringSession onUserRetrieval(String username) {
        return (ExpiringSession) this.sessionRepository
                .findByIndexNameAndIndexValue(FindByIndexNameSessionRepository.PRINCIPAL_NAME_INDEX_NAME, username)
                .values()
                .stream()
                .findFirst()
                .orElse(null);
    }

[vpavic]

I'm not sure what you're exactly trying to achieve @mrshawn191 and what is the problem you're encountering?

The logic from the code snippets from above doesn't seem right to me. First off, you're selecting a random session (findFirst()) for a given user while it's perfectly reasonable for user to have multiple sessions at the same time. Secondly, you're associating the security context with current thread SecurityContextHolder.setContext(context) but it does not seem that the code involved is executed by the user in subject themselves.

This seems more of a general Spring Security question and is perhaps better suited for Stack Overflow.

[mrshawn191]

Hi thanks for answering. What I want to achieve is that,

1. Both users have an active session
2. User A updates User B authority, therefore we need to update User B session.

How do you achieve this?

I have tried searching on the web but couldn't find any info. Could you please provide any input?

[mrshawn191]

I guess something similar to https://stackoverflow.com/questions/33990260/spring-session-redis-and-spring-security-how-to-update-user-session but the filter solution looks messy and complex

[ZmurLV]

Struggling with similar problem but on JDBC database session storage.

[malliaridis]

Still not answered somewhere in 2019?

[spring-projects-issues]

If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.

[spring-projects-issues]

Closing due to lack of requested feedback. If you would like us to look at this issue, please provide the requested information and we will re-open the issue.