Spring security concurrent-session and HttpSessionListener problem

[kmansoor]

I have implemented HttpSessionListener and it works fine except for the case when a logged in user concurrently logs in a second time. Spring terminates the first session correctly, but the destroySession event is never fired, at least my listener never gets it.

My spring-security is as follows:

Code:

<session-management 
    session-fixation-protection="migrateSession" >

   <concurrency-control 
       max-sessions="1"
       expired-url="/login_sessionexpired" />
</session-management>

The above logs the user out of the first session, if they concurrently log in a second time, however, the HttpSessionListener.sessionDestroyed is never called.

The HttpSessionListener.sessionDestroyed is called normally for manual logout and session time out.

I have a 'delegating proxy' for the listener in web.xml:

Code:

<listener>
		<listener-class>com.test.security.DelegatingHttpSessionEventListenerProxy</listener-class>
	</listener>

This listener delegates to a spring-bean defined in the my-servlet.xml as:

Code:

<bean id="httpSessionEventListener"
		class="com.test.security.SimpleHttpSessionEventListenerImpl" />

The delegating listener is coded as:

Code:

public class DelegatingHttpSessionEventListenerProxy implements
		HttpSessionListener {

	/**
	 * Delegates sessionCreated Event to the Spring-bean
	 */
	@Override
	public void sessionCreated(HttpSessionEvent se) {
		ApplicationContext context = WebApplicationContextUtils
				.getWebApplicationContext(se.getSession().getServletContext());

		HttpSessionListener target = context.getBean(
				"httpSessionEventListener", HttpSessionListener.class);
		target.sessionCreated(se);
	}

	/**
	 * Delegates sessionDestroyed Event to the Spring-bean
	 */
	@Override
	public void sessionDestroyed(HttpSessionEvent se) {
		ApplicationContext context = WebApplicationContextUtils
				.getWebApplicationContext(se.getSession().getServletContext());

		HttpSessionListener target = context.getBean(
				"httpSessionEventListener", HttpSessionListener.class);
		target.sessionDestroyed(se);
	}
}

I'm using spring-security-3.0.5, can somebody please tell me what am I missing?

Thank you.

[Luke Taylor]

The session will only be invalidated if the user tries to use it again after starting a new session, otherwise it will time out as normal. This is because it isn't possible to invalidate a session other than during a request made as part of that session. At least not without resorting to container-specific APIs.

[kmansoor]

You are absolutely right, it is. I was expecting it to timeout the moment another concurrent log in was made.
Thank you.

[ericacm]

Luke, is that part of the Servlet spec? I was unaware of this.

[Luke Taylor]

Luke, is that part of the Servlet spec? I was unaware of this.

Sorry, not sure what you mean. Is what part of the servlet spec? You need a reference to the HttpSession to be able to invalidate it and that is only obtainable through the HttpServletRequest, which is what I meant by my comment.

[ericacm]

I see - but if you have a reference to a HttpSession from somewhere else (for example, a container specific API or a cache you are maintaining in a HttpSessionListener) then you can still call invalidate() on it, correct?