StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

POMy different sessions are being duplicated with the same last activity and session id, why?
text
Body
copied!<p>I'm using spring security, when i log in from different browsers with the same user (which i set to be possible to have multiple sessions), the data passed from the controller (where i get the SessionInformation from every principal) to the View is being duplicated instead of creating a new Session Id and the Last Activity is the very same for all the different browser sessions as well. </p> <p>This is a part of the spring-security.xml where the sessionRegistry is configured and stuff. <br> </p> <pre><code> <form-login login-page="/login" default-target-url="/welcome" always-use-default-target="true" authentication-failure-url="/loginfailed"/> <logout logout-success-url="/logout" /> <custom-filter position="CONCURRENT_SESSION_FILTER" ref="concurrencyFilter" /> <custom-filter after="FORM_LOGIN_FILTER" ref="myAuthFilter" /> <session-management session-authentication-strategy-ref="sas"/> </http> <authentication-manager alias="authenticationManager"> <authentication-provider ref="ldapAuthProvider"> </authentication-provider> </authentication-manager> <beans:bean id="concurrencyFilter" class="org.springframework.security.web.session.ConcurrentSessionFilter"> <beans:property name="sessionRegistry" ref="sessionRegistry" /> </beans:bean> <beans:bean id="myAuthFilter" class= "org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter"> <beans:property name="sessionAuthenticationStrategy" ref="sas" /> <beans:property name="authenticationManager" ref="authenticationManager" /> </beans:bean> <beans:bean id="sas" class= "org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy"> <beans:constructor-arg name="sessionRegistry" ref="sessionRegistry" /> <beans:property name="maximumSessions" value="-1" /> </beans:bean> <beans:bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl" /> </code></pre> <p>This is the Controller on which the sessionRegistry is being consumed:</p> <pre><code>@RequestMapping(value = "/activeusers", method = RequestMethod.GET) public String manageActiveUsers(ModelMap model, Principal principal) { String name = principal.getName(); model.addAttribute("username", name); List<LoginUserInfo> userSessionData = new ArrayList<LoginUserInfo>(); List<Object> principals = sessionRegistry.getAllPrincipals(); //TODO: Find a better way to get the remote IP Address according to each client call String remoteAddress = ((ServletRequestAttributes)RequestContextHolder.currentRequestAttributes()) .getRequest().getLocalAddr(); for (Object object : principals) { LoginUserInfo userInfo = new LoginUserInfo(); LdapUserDetailsImpl user = (LdapUserDetailsImpl) object; List<SessionInformation> sessions = sessionRegistry.getAllSessions(user, false); String username = user.getUsername(); for (SessionInformation session : sessions) { Date lastRequest = session.getLastRequest(); String sessionId = session.getSessionId(); userInfo.setUsername(username); userInfo.setIp(remoteAddress); userInfo.setLastActivity(lastRequest.getTime()); userInfo.setSessionId(sessionId); userSessionData.add(userInfo); } } model.addAttribute("userSessionData", userSessionData); return "activeusers"; } </code></pre> <p>And then i send "userSessionData" to a jsp VIEW like this.</p> <pre><code> <c:forEach var="userDetail" items="${userSessionData}"> <tr> <td><c:out value="${userDetail.ip}"/></td> <td><c:out value="${userDetail.username}"/></td> <td><c:out value="${userDetail.lastActivity}"/></td> <td><c:out value="${userDetail.sessionId}"/></td> </tr> </c:forEach> </code></pre> <p>As i said, all the user related data is being duplicated (sessionId and lastActivity) even though i log in from another browser. When i do some requests from one browser, the lastActivity gets refreshed in all the sessions at the same time. </p> <p>Another thing, when i log out from different browsers, the session should be terminated. But when i check the session List, is still there. Why is that happening too???</p>

Querying!

Guidance

An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload