Deleting user doesn't invalidate his session

[xkolr03]

Hi,

I am probably doing something wrong, when I delete a user, his session is still working, although the user disappears from the database.

Does anyone have any suggestions what I could be doing wrong?

Many thanks for your ideas!

Best regards,
Radim

[nesyarug]

Hi Radim,

Assuming you are using Web MVC and some controller to delete your user, here is what worked for me (place this code after deleting the user from the database):

SecurityContextHolder.clearContext();
HttpSession session = request.getSession(false);
if (session != null) {
session.invalidate();
}

Nes

[takach]

If you delete the user User1 in some administration page in the name of an administrator user User2, then you probably do not want to invalidate the actual session of the administrator user User2. You have rather get a reference to the SessionRegistry, and

for (Object principal : registry.getAllPrincipals()) {
if ( principal belongs to your deleted user User1)
for (SessionInformation sessionInfo : registry.getAllSessions(principal, true)) {
info.expireNow();
}
}

[xkolr03]

Thanks takach, the issue with this is keeping the session registry up to date. I am using remember me feature of Spring Security and as a result, it is quite difficult to keep the session registry up to date because it won't update the session registry automatically after remember me cookie authentication. Although this can be fixed by adding an authentication listener, there is another problem: The session registry doesn't survive Tomcat server restart, while the actual sessions do. And another drawback is that the session registry doesn't work in a cluster, it will only hold sessions of a particular server, but the user can have the session in a different server in a cluster. With all I mentioned, it seems that it would be quite difficult to keep the session registry in sync with actual sessions.

Is there a way of somehow configuring Spring Security to check a user existence (and also whether the user is enabled) with each authenticated request? And if there is, what would be the impact of it on performance?

Thanks,
Radim

[Rob Winch]

Thanks takach, the issue with this is keeping the session registry up to date. I am using remember me feature of Spring Security and as a result, it is quite difficult to keep the session registry up to date because it won't update the session registry automatically after remember me cookie authentication.

It seems you are on to a new problem which would be best for a new thread. You might refer to https://jira.springsource.org/browse/SEC-2028

Although this can be fixed by adding an authentication listener, there is another problem: The session registry doesn't survive Tomcat server restart, while the actual sessions do. And another drawback is that the session registry doesn't work in a cluster, it will only hold sessions of a particular server, but the user can have the session in a different server in a cluster. With all I mentioned, it seems that it would be quite difficult to keep the session registry in sync with actual sessions.

Is there a way of somehow configuring Spring Security to check a user existence (and also whether the user is enabled) with each authenticated request? And if there is, what would be the impact of it on performance?

Thanks,
Radim

I think a better approach would be to create a SessionRegistry that works in a distributed fashion and is persisted rather than in memory.


PS: If you have further questions please start a new thread. This makes searching the forums easier for others looking for answers. It also makes it easier for those assisting you by focusing on a single issue at a time.