0

I'm using Spring Security to perform log in and log out.

Log in and log out seem to work well everytime I perform them.

If I add maxSessionsPreventsLogin() the log in works during the first attempt; after the log out, I can't log in anymore. The method failureUrl() is called and the user is redirect to /login?error

This is my configure method:

 @Override
    protected void configure(HttpSecurity httpSecurity) throws Exception {

       httpSecurity.formLogin()
            .loginPage("/login") 
            .usernameParameter("userId") 
            .passwordParameter("password");

       httpSecurity.formLogin()
            .defaultSuccessUrl("/")
            .failureUrl("/login?error") 
            .and()
            .sessionManagement()
            .maximumSessions(1)
            .maxSessionsPreventsLogin(true);          

       httpSecurity.logout()                
            .logoutSuccessUrl("/login?logout");     

      httpSecurity.exceptionHandling()
            .accessDeniedPage("/login?accessDenied");  

       httpSecurity.authorizeRequests()
            .antMatchers("/").permitAll() 
            .antMatchers("/**/add").access("hasRole('ADMIN')")    
            .antMatchers("/**/market/**").access("hasRole('USER')");            
    }

The csrf system is enabled, and accordingly to Spring Security needs I put

<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>

inside the login form and inside the log out form (in which I perform a POST request to "/logout")

Can anybody help me? Thank you

MDP
  • 4,177
  • 21
  • 63
  • 119
  • If you deploy your app e.g. on tomcat then your session is valid until the tomcat session management invalidates it. Therefore your session is still valid even if you've logged out. – M46 Sep 28 '18 at 12:04
  • 1
    The logout invalidates the session, unless you are hacking around the Spring Security logout mechanism. And I wonder did you register the `HttpSessionEventPublisher` which handles the session removal? – M. Deinum Sep 28 '18 at 12:35
  • I didn't register any HttpSessionEventPublisher, I thought spring would take care of invalidating session. I'll look into HttpSessionEventPublisher. :) – MDP Sep 28 '18 at 12:45
  • @MDP See https://stackoverflow.com/a/36970658/5277820 – dur Oct 01 '18 at 09:16
  • Possible duplicate of https://stackoverflow.com/questions/41429778/spring-security-logout-and-maximum-sessions – dur Oct 01 '18 at 09:24
  • Does this answer your question? [Spring Boot Security Logout Does Not Invalidate Session](https://stackoverflow.com/questions/25486722/spring-boot-security-logout-does-not-invalidate-session) – Eleftheria Stein-Kousathana Jan 22 '21 at 12:02

1 Answers1

0

You can also try to invalidate the session upon logout

.logout()
                .logoutUrl("/logout")
                .logoutSuccessUrl("/")
                .invalidateHttpSession(true)
                .clearAuthentication(true)
                .permitAll();
Royts
  • 501
  • 6
  • 14