Home/ Questions/Q 6958303
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-27T15:07:20+00:00

I spent a lot of time to solve this problem, yet still couldn’t get

  • 0

I spent a lot of time to solve this problem, yet still couldn’t get it work.

I am using Spring Security. The application will run on multiple servers. I use the option “remember me” on login to save persistent logins in my database.

If a user is connected to server 1, he has a session id in cookies browser. I turn on another server and this user makes authentication and the cookies browser have this session id and the session id of server 1 connection.

When this user logs out in one server or another server, he should be redirected to login page in all servers.

I tried to remove cookies from browser without success. How can I make this work? Any help?

Example scenario: In gmail, if you have 2 tabs open in your account and if you log out from one of them, other tab automatically logs out too. The server 1 doesn’t know the information of server 2.. I think my problem is here but I don’t know how I can solve this.

This is my security config:

<http auto-config="false" use-expressions="true" disable-url-rewriting="true">
   <intercept-url pattern="/login.do" access="permitAll" />
   <intercept-url pattern="/**" access="hasRole('ROLE_USER')" />
   <remember-me data-source-ref="dataSource" />
   <form-login login-page="/login.do" />
   <custom-filter position="CONCURRENT_SESSION_FILTER" ref="concurrencyFilter" />
   <custom-filter position="LOGOUT_FILTER" ref="logoutFilter" />
   <session-management session-authentication-strategy-ref="sas" />
</http>

<!-- <logout logout-url="/j_spring_security_logout" logout-success-url="/" invalidate-session="true" /> -->

<beans:bean id="logoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter">
   <beans:constructor-arg value="/login.do" />
   <beans:constructor-arg>
      <beans:list>
         <beans:ref bean="rememberMeServices"/>
         <beans:ref bean="logoutHandler"/>
      </beans:list>
   </beans:constructor-arg>
   <!-- <beans:property name="filterProcessesUrl" value="/login.do" /> -->
</beans:bean>

<beans:bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl" />

<beans:bean id="concurrencyFilter" class="org.springframework.security.web.session.ConcurrentSessionFilter">
   <beans:property name="sessionRegistry" ref="sessionRegistry" />
   <beans:property name="expiredUrl" value="/login.do" />
</beans:bean>

<beans:bean id="sas" class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">
   <beans:constructor-arg name="sessionRegistry" ref="sessionRegistry" />
   <beans:property name="maximumSessions" value="1" />
</beans:bean>

<authentication-manager alias="authenticationManager">
   <authentication-provider user-service-ref="jdbcUserService" />
</authentication-manager>
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I would recommend you to have a look at SessionRegistry .You can check this here . There has been a discussion on this at Is it possible to invalidate a spring security session? . Check this out too

    Spring sessions are stored as JsessionID cookies. Check here for a discussion on cookie removal.

    The same query has been discussed at Invalid a session when user makes logout (Spring).

    • 0