i find that spring security, session concurrency is very strange. <sec:session-management> <sec:concurrency-control max-sessions=1 error-if-maximum-exceeded=true

Question

Asked: May 18, 20262026-05-18T23:51:47+00:00 2026-05-18T23:51:47+00:00

i find that spring security, session concurrency is very strange.

<sec:session-management>
        <sec:concurrency-control max-sessions="1" error-if-maximum-exceeded="true" />
</sec:session-management>

the code means that, just only one user can log in in time.

i successfully login, than hit logout button. log out is successfully (i don’t get my username anymore). but when i try to relogin, i just get exception that maximum session exceeded. is session in spring security is not deleted clearly?
i finish login. and i with out log out, i try to login again. i still can login. but when the second time i to relogin, i get exception that maximum session exceeded. i think it should be rejected to login when first time try to relogin.

thanks for your response
Best regards

You must login to add an answer.

Need An Account,

Editorial Team · Answer 1 · 2026-05-18T23:51:48+00:00

Editorial Team

Make sure you didn’t forget to configure a listener in web.xml, as required for session management:

<listener>
    <listener-class>
        org.springframework.security.web.session.HttpSessionEventPublisher
    </listener-class>
</listener>

The Archive Base Latest Questions