concurrentSession problem

[xjeff]

Hi,

In my program, a concurrentSessionController was configued with maxSessions =1.
There are two accounts : Jeff and Tom. Tom's role is Role_Admin and Jeff's is Role_User.
The 403 error page is the login page.

First,I use the account Jeff login the application.
When a page needs the role Role_Admin was accessed,a AccessDeniedException was thrown
and the login page appeared.
Then I use the account Tom login the application.
After doing something ,logout the application and use the account Jeff login again ,
A ConcurrentLoginExceptionJeff has reached the maximum concurrent logins) was thrown.


I suspected that when doing the second authentication ,the pre session is not invalidated.
I had a look at the source code of the class AuthenticationProcessingFilter and find the answer.


public Authentication attemptAuthentication(HttpServletRequest request)
throws AuthenticationException {
.......

// Place the last username attempted into HttpSession for views
request.getSession().setAttribute(ACEGI_SECURITY_L AST_USERNAME_KEY,
username);

return this.getAuthenticationManager().authenticate(authR equest);
}

Maybe before placing the last username attempted into HttpSession for views,
the existed session should be invalidated at first.
Am I right?

Thanks
Jeff

[Ben Alex]

Just to clarify your proposal for the benefit of others following the thread, the concurrent session handling support as it presently stands relies on standard HttpSession invalidation or expiration to be notified when a given HttpSession is no longer associated with a particular principal. Jeff's proposal is to add a hook that if a HttpSession gets used with a different principal, the concurrent session controller needs to be informed about this so that it removes the link to the existing principal.

I agree this is a useful improvement, and I've noted it down as part of general refactorings intend to the concurrent session controller code.