How to notify user of another session using Spring Security?

StackOverflow https://stackoverflow.com/questions/18093995

Question

I have a design/system requirement to notify a user, User-A, that there was another active session (by User-B) prior to User-A's login. How do you accomplish this using Spring Security?

The scenario is this:

  1. John Doe logs in to the system using username johndoe
  2. Jane logs in to the system using johndoe
  3. The system should display a notification (that includes the other user's IP address) to both users that there was another session created using his or her username .

Example:

After Jane's login in Step-2, John Doe, upon making a new request (like clicking a link), will receive the ff. notification:

You have been automatically logged-out of the system.
Your login credential was used with IP Address (x.x.x.x).
If you believe your account was compromised, please report...

At the same time, upon Jane's login, she will be notified as well that there was another active session prior to her login.

Your login credential was used with IP Address (x.x.x.x).
If you believe your account was compromised, please report...

I tried looking into custom session management filters, custom concurrent session filters, and custom concurrent control strategy, but I can't wrap my head around the subject. I can't seem to identify w/c item I should customize.

I've also read the Session Management chapter of Spring Security's documentation, but am stuck on how to implement the requirement above.

Was it helpful?

Solution

If I get your Question, You need only one user should be logged in with xyz credentials at one time and if other user(A) tries to log in when one user(B) is already logged in the you don't want other user A to get log in and prompt it that someone is logged in with same credentials.

you can achieve this by max-sessions="1"

<security:http auto-config="true" use-expressions="true" access-denied-page="/accessDenied.jsp">

    <security:form-login login-page="/index.jsp"
        default-target-url="/jsp/home.jsp"
        authentication-failure-handler-ref="authenticationFailureHandler"/>


    <security:session-management>
        <security:concurrency-control max-sessions="1" error-if-maximum-exceeded="true"/>
    </security:session-management>

</security:http>

Somewhere I am getting confused in understanding your actual need, If you need both session should remain active then increase max-sessions="max_session_you_need" and just register session creation listener and there you can check regarding active sessions with the session request just came, if it matches with one of active session then some user is already logged in and do whatever you wants to do...

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top