When developing a multi-user web application, it was necessary to limit the number of active sessions for one user. In this article I want to share my solutions with you.
Session control is relevant for a large number of projects. In our application, it was necessary to implement a limit on the number of active sessions for one user. When logging in (login), an active session is created for the user. When the same user logs in from another device, it is necessary not to open a new session, but to inform the user about an already existing active session and offer him 2 options:
- close the last session and open a new one
- do not close the old session and do not open a new session
Also, when the old session is closed, it is necessary to send a notification to the administrator about this event.
And you need to take into account 2 possibilities of session invalidation:
- logging out of the user (i.e. the user clicks the logout button)
- automatic logout after 30 minutes of inactivity
Saving sessions across reboots
First you need to learn how to create and save sessions (we will save them in the database, but it is possible to save them in redis, for example). Spring security and spring session jdbc will help us with this . In build.gradle add 2 depending on:
implementation(
'org.springframework.boot:spring-boot-starter-security',
'org.springframework.session:spring-session-jdbc'
)
Let's create our own WebSecurityConfig , in which we will enable saving sessions to the database using the @EnableJdbcHttpSession annotation
@EnableWebSecurity
@EnableJdbcHttpSession
@RequiredArgsConstructor
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
private final UserDetailsService userDetailsService;
private final PasswordEncoder passwordEncoder;
private final AuthenticationFailureHandler securityErrorHandler;
private final ConcurrentSessionStrategy concurrentSessionStrategy;
private final SessionRegistry sessionRegistry;
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.cors().and()
// csrf
.csrf().and()
.httpBasic().and()
.authorizeRequests()
.anyRequest()
.authenticated().and()
//
.logout()
.logoutRequestMatcher(new AntPathRequestMatcher("/api/logout"))
// 200( 203)
.logoutSuccessHandler(new HttpStatusReturningLogoutSuccessHandler(HttpStatus.OK))
//
.invalidateHttpSession(true)
.clearAuthentication(true)
// (.. , ..)
.addLogoutHandler(new HeaderWriterLogoutHandler(new ClearSiteDataHeaderWriter(Directive.ALL)))
.permitAll().and()
// ( )
.sessionManagement()
// ( 1, .. , )
.maximumSessions(3)
// (3) SessionAuthenticationException
.maxSessionsPreventsLogin(true)
// ( )
.sessionRegistry(sessionRegistry).and()
//
.sessionAuthenticationStrategy(concurrentSessionStrategy)
//
.sessionAuthenticationFailureHandler(securityErrorHandler);
}
//
@Bean
public static ServletListenerRegistrationBean httpSessionEventPublisher() {
return new ServletListenerRegistrationBean(new HttpSessionEventPublisher());
}
@Bean
public static SessionRegistry sessionRegistry(JdbcIndexedSessionRepository sessionRepository) {
return new SpringSessionBackedSessionRegistry(sessionRepository);
}
@Bean
public static PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder(12);
}
}
With the help of this config, we not only enabled the saving of active sessions in the database, but also wrote the logic for user logout, added our own strategy for handling sessions and an interceptor for errors.
To save sessions to the database, you also need to add a property in application.yml (postgresql is used in my project):
spring:
datasource:
url: jdbc:postgresql://localhost:5432/test-db
username: test
password: test
driver-class-name: org.postgresql.Driver
session:
store-type: jdbc
You can also specify the session lifetime (by default 30 minutes) using property:
server.servlet.session.timeout
If you do not specify a suffix, then seconds will be used by default.
Next, we need to create a table in which sessions will be saved. In our project, we use liquibase , so we register the creation of a table in the changeset:
<changeSet id="0.1" failOnError="true">
<comment>Create sessions table</comment>
<createTable tableName="spring_session">
<column name="primary_id" type="char(36)">
<constraints primaryKey="true"/>
</column>
<column name="session_id" type="char(36)">
<constraints nullable="false" unique="true"/>
</column>
<column name="creation_time" type="bigint">
<constraints nullable="false"/>
</column>
<column name="last_access_time" type="bigint">
<constraints nullable="false"/>
</column>
<column name="max_inactive_interval" type="int">
<constraints nullable="false"/>
</column>
<column name="expiry_time" type="bigint">
<constraints nullable="false"/>
</column>
<column name="principal_name" type="varchar(1024)"/>
</createTable>
<createIndex tableName="spring_session" indexName="spring_session_session_id_idx">
<column name="session_id"/>
</createIndex>
<createIndex tableName="spring_session" indexName="spring_session_expiry_time_idx">
<column name="expiry_time"/>
</createIndex>
<createIndex tableName="spring_session" indexName="spring_session_principal_name_idx">
<column name="principal_name"/>
</createIndex>
<createTable tableName="spring_session_attributes">
<column name="session_primary_id" type="char(36)">
<constraints nullable="false" foreignKeyName="spring_session_attributes_fk" references="spring_session(primary_id)" deleteCascade="true"/>
</column>
<column name="attribute_name" type="varchar(1024)">
<constraints nullable="false"/>
</column>
<column name="attribute_bytes" type="bytea">
<constraints nullable="false"/>
</column>
</createTable>
<addPrimaryKey tableName="spring_session_attributes" columnNames="session_primary_id,attribute_name" constraintName="spring_session_attributes_pk"/>
<createIndex tableName="spring_session_attributes" indexName="spring_session_attributes_idx">
<column name="session_primary_id"/>
</createIndex>
<rollback>
<dropIndex tableName="spring_session_attributes" indexName="spring_session_attributes_idx"/>
<dropIndex tableName="spring_session_attributes" indexName="spring_session_attributes_pk"/>
<dropIndex tableName="spring_session_attributes" indexName="spring_session_attributes_fk"/>
<dropIndex tableName="spring_session" indexName="spring_session_principal_name_idx"/>
<dropIndex tableName="spring_session" indexName="spring_session_expiry_time_idx"/>
<dropIndex tableName="spring_session" indexName="spring_session_session_id_idx"/>
<dropTable tableName="spring_session_attributes"/>
<dropTable tableName="spring_session"/>
</rollback>
</changeSet>
Limiting the number of sessions
We use our custom strategy to limit the number of sessions. For limitation, in principle, it would be enough to write in the config:
.maximumSessions(1)
However, we need to give the user a choice (close the previous session or not open a new one) and inform the administrator about the user's decision (if he chose to close the session).
Our custom strategy will be the successor.
ConcurrentSessionControlAuthenticationStrategy , which allows you to determine whether the user has exceeded the session limit or not.
@Slf4j
@Component
public class ConcurrentSessionStrategy extends ConcurrentSessionControlAuthenticationStrategy {
// (true - )
private static final String FORCE_PARAMETER_NAME = "force";
//
private final NotificationService notificationService;
//
private final SessionsManager sessionsManager;
public ConcurrentSessionStrategy(SessionRegistry sessionRegistry, NotificationService notificationService,
SessionsManager sessionsManager) {
super(sessionRegistry);
//
super.setExceptionIfMaximumExceeded(true);
// , 1
super.setMaximumSessions(1);
this.notificationService = notificationService;
this.sessionsManager = sessionsManager;
}
@Override
public void onAuthentication(Authentication authentication, HttpServletRequest request,
HttpServletResponse response)
throws SessionAuthenticationException {
try {
// ( SessionAuthenticationException 1)
super.onAuthentication(authentication, request, response);
} catch (SessionAuthenticationException e) {
log.debug("onAuthentication#SessionAuthenticationException");
// ( , )
UserDetails userDetails = (UserDetails) authentication.getPrincipal();
String force = request.getParameter(FORCE_PARAMETER_NAME);
// 'force' , ,
if (StringUtils.isBlank(force)) {
log.debug("onAuthentication#Multiple choices when login for user: {}", userDetails.getUsername());
throw e;
}
// 'force' = false, , ( )
if (!Boolean.parseBoolean(force)) {
log.debug("onAuthentication#Invalidate current session for user: {}", userDetails.getUsername());
throw e;
}
log.debug("onAuthentication#Invalidate old session for user: {}", userDetails.getUsername());
// ,
sessionsManager.deleteSessionExceptCurrentByUser(userDetails.getUsername());
// ( ip - . , )
notificationService.notify(request, userDetails);
}
}
}
It remains to describe the removal of active sessions, except for the current one. To do this, in the SessionsManager implementation, we implement the deleteSessionExceptCurrentByUser method :
@Service
@RequiredArgsConstructor
@Slf4j
public class SessionsManagerImpl implements SessionsManager {
private final FindByIndexNameSessionRepository sessionRepository;
@Override
public void deleteSessionExceptCurrentByUser(String username) {
log.debug("deleteSessionExceptCurrent#user: {}", username);
// session id
String sessionId = RequestContextHolder.currentRequestAttributes().getSessionId();
//
sessionRepository.findByPrincipalName(username)
.keySet().stream()
.filter(key -> !sessionId.equals(key))
.forEach(key -> sessionRepository.deleteById((String) key));
}
}
Handling errors when the session limit is exceeded
As you can see, in the absence of the force parameter (or when it is false ), we throw a SessionAuthenticationException from our strategy. We would like to return not an error to the front, but 300 status (so that the front knows that it needs to show a message to the user to select an action). To do this, we implement the interceptor that we added to
.sessionAuthenticationFailureHandler(securityErrorHandler)
@Component
@Slf4j
public class SecurityErrorHandler extends SimpleUrlAuthenticationFailureHandler {
@Override
public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response,
AuthenticationException exception)
throws IOException, ServletException {
if (!exception.getClass().isAssignableFrom(SessionAuthenticationException.class)) {
super.onAuthenticationFailure(request, response, exception);
}
log.debug("onAuthenticationFailure#set multiple choices for response");
response.setStatus(HttpStatus.MULTIPLE_CHOICES.value());
}
}
Conclusion
Session management turned out to be not as scary as it seemed at the beginning. Spring allows you to flexibly customize your strategies for this. And with the help of an error interceptor, you can return any message and status to the front.
I hope that this article will be useful to someone.