Spring Security Property expiredUrl of SessionManagement is not handled correctly

Spring Boot Security

Property expiredUrl of SessionManagement is not handled correctly

Actual Behavior

This situation is verified by having the limit of max 1 sessions for user in security config. Then signing in with the first user (A) and then logging in with the second user (B), the first one (A) is being invalidated on the server side correctly. When the first user (A) refreshes the page, instead of too many sessions per user error message, Spring security returns Invalid Session error code.

Detailed procedure is described below:

For cocurrent session, in this case expiredUrl not work, this is my use case:

1. Open the first tab/browser and sign in
2. Open the second tab/browser and sign in
3. Go to the first tab/browser and refresh the page(F5) and redirect to invalidSessionUrl. KO

On step #3 spring will return invalidSessionUrl error message instead of too many sessions per user.

In order to avoid the session being shared, I reccomend to use two different browsers or a browser in incognito mode.

Note: The third step must be performed before the session timeout otherwise the session will be invalidated by timeout instead of concurrent session. For testing, in demo project the session expiration is configured to 20 seconds.

Expected Behavior

1. Open first browser = go to login page, insert credential and go home page.
2. Open second browser = go to login page, insert credential and go home page.
3. Go to first browser and press refresh page(F5) and redirect to expiredUrl. (Redirect to invalidSessionUrl only if session expired)

Configuration

.sessionManagement()
    .sessionFixation().migrateSession()
    .invalidSessionUrl(LOGIN_INVALID_SESSION_URL)
    .maximumSessions(1)
    .maxSessionsPreventsLogin(false)
    .expiredUrl(LOGIN_EXPIRED_URL)

WorkAround

Add custom filter customConcurrentSessionFilter before ConcurrentSessionFilter.

http.addFilterBefore(customConcurrentSessionFilter(), ConcurrentSessionFilter.class)

Remove expiredUrl from default configuration because it is already declared into the custom filter

.sessionManagement()
    .sessionFixation().migrateSession()
    .invalidSessionUrl(LOGIN_INVALID_SESSION_URL)
    .maximumSessions(1)
    .maxSessionsPreventsLogin(false)
    //.expiredUrl(LOGIN_EXPIRED_URL)  <-- Note on commented instruction

Custom filter is almost identical to the ConcurrentSessionFilter, except in doFilter(...) before sending the redirect, creating new empty session. By doing this, when the SessionManagementFilter is invoked, it does not handle InvalidSession error.

Version

Spring boot 1.4.2.RELEASE

Sample

https://github.com/MassimoScattarella/FixConcurrentSessionForSpringBootSecurity

Comment From: syakuis

ConcurrentSessionFilter expriedUrl Deprecated!!

public class SessionExpiredHandler implements SessionInformationExpiredStrategy {
    private final String expiredUrl;

    public SessionExpiredHandler(String expiredUrl) {
        this.expiredUrl = expiredUrl;
    }

    @Override
    public void onExpiredSessionDetected(SessionInformationExpiredEvent sessionInformationExpiredEvent) throws IOException, ServletException {
        HttpServletRequest request = sessionInformationExpiredEvent.getRequest();
        HttpServletResponse response = sessionInformationExpiredEvent.getResponse();
        response.sendRedirect(request.getContextPath() + expiredUrl);
    }
}

<beans:bean id="concurrentSessionFilter" class="org.springframework.security.web.session.ConcurrentSessionFilter">
        <beans:constructor-arg name="sessionRegistry" ref="sessionRegistry" />
        <beans:constructor-arg name="sessionInformationExpiredStrategy" ref="sessionExpiredHandler" />
</beans:bean>

Comment From: lorenzo-catalano

hi @syakuis , i tried @MassimoScattarella 's code in https://github.com/MassimoScattarella/FixConcurrentSessionForSpringBootSecurity and i found that in spring boot 1.4.2 that he's using, ConcurrentSessionFilter expriedUrl is not deprecated. Trying your code with spring boot 1.5.3 still gives a redirect to invalidSessionUrl AFTER the redirect to expiredUrl. I tried creating a new session like this

    @Override
    public void onExpiredSessionDetected(SessionInformationExpiredEvent sessionInformationExpiredEvent) throws IOException, ServletException {
        HttpServletRequest request = sessionInformationExpiredEvent.getRequest();
        HttpServletResponse response = sessionInformationExpiredEvent.getResponse();
        request.getSession();//creates a new session
        response.sendRedirect(request.getContextPath() + expiredUrl);
    } 

and it works correctly without the second redirect to invalidSessionUrl. is this the correct way?

Comment From: hi-rullah

May I follow up latest status please for this issue?