springboot .maxSessionsPreventsLogin(true) is invalid

设置最大session为1，且不踢出旧用户时，登录账户A，然后退出登录之后就无法登录了，检查发现浏览器的JSESSIONID这个cookie还在，我手动删除且自定义登出逻辑后，还是没有办法登录，这个cookie显示有效期到浏览器会话结束时，我甚至于配置了退出时检查session的逻辑，打印日志都显示没有session了，还是无法登录，始终显示session最大值那个异常，求问怎么解决

English

Set the maximum session to 1, and does not play the old users, A login account, then log out will not be able to login, after inspection found the browser the JSESSIONID cookie is still there, after I removed manually and custom logout logic, or there is no way to login, the cookie shows validity by the end of the browser session, I even configured the exit check the logic of the session, print log shows no session, still cannot login, always show A maximum session that exception, ask how to solve

Comment From: wilkinsona

if this is a bug, it is most likely to be in Spring Security. It could be related to container session management too. To help us to identify where the problem is, can you please provide a small sample application and step-by-step instructions that we can use to reproduce the problem?

Comment From: muzijin520

security-demo.zip 这是我测试的小demo，root用户登录之后再退出就无法登录了，五月份我就发现这个问题了，麻烦看一下。 English This is a small demo of my test, the root user cannot log in after logging in and then logging out. I found this problem in May, please have a look.

Comment From: OLPMO

我运行了你的demo，你反馈的bug是root用户登录一次后退出就无法再次登录吗？@muzijin520 In English: I ran your demo. The bug you actually reported is that root can't log in again after logging out once?

Comment From: muzijin520

对的，本来我是想限同一用户登录后不允许其他地方登录，但是老用户退出后无法登录这个账号了

---Original--- From: "OLPMO"<notifications@github.com> Date: Mon, Jan 6, 2020 21:47 PM To: "spring-projects/spring-boot"<spring-boot@noreply.github.com>; Cc: "Author"<author@noreply.github.com>;"muzijin"<1129304859@qq.com>; Subject: Re: [spring-projects/spring-boot] .maxSessionsPreventsLogin(true) is invalid (#19407)

我运行了你的demo，你反馈的bug是root用户登录一次后退出就无法再次登录吗？ In English: I ran your demo. The bug you actually reported is that root can't log in again after logging out once?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or unsubscribe.

Comment From: mbhave

@muzijin520 As stated in the javadoc for sessionManagement,

When using `SessionManagementConfigurer#maximumSessions(int)`, do not forget
to configure `HttpSessionEventPublisher` for the application to ensure that expired sessions are cleaned up.

You can add a bean of type HttpSessionEventPublisher which would clean up the session once the user has logged out.