Home/ Questions/Q 8865121
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-14T16:25:23+00:00

I am using Spring Security 3.1 to handle login authentication, session timeouts and maximum

  • 0

I am using Spring Security 3.1 to handle login authentication, session timeouts and maximum sessions.

Also I am deleting cookies only on logout.

<logout delete-cookies="JSESSIONID" logout-success-url='logout page' />

Also I have set maximum sessions to 1 as of now for testing.
When I open my webpage in browser, it stores jsession id in cookie but the problem starts when I exit and reopen my browser. At this time I cannot find any cookies in the browser, they get deleted that is why I am not getting redirected to welcome page(page after login).

But when I login again, it shows an error message that I am printing:-number of sessions exceeded.

This possibly means that session remains alive on server side but it gets deleted from the cookie on client side due to which I neither see the welcome page nor am able to login on the login page.

What else I need to do so that cookies remain there in the browser till the session times out? I have set session timeout to 10 days

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    This is normal behaviour. JSESSIONID cookies are only valid for the lifetime of a browser session so are gone when you close your browser. This isn’t something you can change.

    There is no connection between the browser’s perception of a session and the lifetime of a session on the server. Unless you actually log out, the server session is still there until it times out and is removed by the server (10 days in your case). Until that happens, trying to log in again will exceed the number of allowed sessions.

    If you want to stay logged in for 10 days, you might want to look at using remember-me cookies rather than the standard servlet container session.

    Unless you have a definite requirement for restricting the number of concurrent sessions a user can have, I would avoid using that as it will just cause you problems. You haven’t actually shown your configuration for this, but there are really just two options. Either a user can log back in again and the previous session will be marked as expired, or attempting to log in a second time will cause an error until the previous session has timed out, or the user logs out to explicitly invalidate it. The behaviour is controlled by the error-if-maximum-exceeded namespace attribute.

    • 0