I'm developing an spring boot project in that session management logic should be when user have logged in first via browser A and immediately user logged in via browser B.. I have to invalidate the browser A session from spring_session table..
How can we handle this scenario?
Could you please help me on this?
Thank you in advance
Related
I was creating my own oauth2 server with SSO enabled for Google and Facebook. I found this example https://github.com/spring-guides/tut-spring-boot-oauth2 to be very useful and I was able to make my oauth2 server expandable after several tweaks.
For session storage, I used redis and everything seems to be working with the spring magics.
However I encountered a session problem when implementing logout. According to single sign on best practice, when a user logout from one client, all other clients with the same session from the auth server should also be logged out. So I added an endpoint for each client to invoke upon successful login to register it's name based on the user session from the auth server. However I noticed that each time I refresh the page on my client web app, I get a new session from the auth server. As a result, each time when I try to logout, the session associated with all registered clients will always become the old one.
I've been searching for solutions online but no luck yet. It would be greatly appreciated if someone could help me with this issue.
TL;DR version:
I implemented an oauth2 server with SSO enabled for Facebook with Spring Boot. After I successfully logged in with my Facebook account, I can see my client web app resources. Every time I refresh the page, I see a new session gets created from the oauth2 server and it gets stored in the redis storage and all the old sessions are kept in the storage as well.
UPDATE
It seems that all the new sessions are generated by anonymous users each time I refresh the page.
Ok after some digging, it turns out that anonymous user by Spring Boot is not much different from unauthenticated users, according to this doc https://docs.spring.io/spring-security/site/docs/current/reference/html/anonymous.html.
It makes sense that every time I refresh page a new session would generate. My problem was that I wasn't using the correct session ID when registering client app upon successful user authentication. Therefore I override "SavedRequestAwareAuthenticationSuccessHandler.java" file so that I can obtain client_id from the request parameter and then register the correct session ID obtained from the Authentication object to this client ID.
I am using Nancy Web Framework and forms authentication.
How do I programmatically invalidate all sessions of a logged in authenticated user?
Logging out the
Context.CurrentUser
with
MyNancyModule.Logout()
just invalidates one session,
if the user is logged in from (e.g.) another browser,
this session is still valid.
That is a good thing, but I want to invalidate all sessions after the user changed her/his password.
Thanks in advance!
The easiest way to do this is change the GUID identifier on the user record that your UserMapper maps to from the session cookie - that will automatically invalidate every single session out there for that user, forcing them to log back in and get a new cookie.
When a session is invalidated in a web app, if i make to that app a new request with the invalidated jsessionid in cookie, what will be the new session's id? As i inspect, a new session is generated but the session id remains same. I couldn't give a explanation to this. Is there such a convention to keep jsessionid in cookie and give that value to newly created session or am i doing something wrong? :)
The Scenario.
I have 2 webapps on same weblogic. The WLCookie name for these apps are same.
When user enters in appA i am making a asynchronous call to appB's logout servlet where the appB's session is invalidated.
when user clicks a link in appA which refers to appB, i am creating a new session in appB and when i check for the sessionid in cookie it still remains same which is first created in appA.
As i know, two webapps on same weblogic does not share their session's if not configured but although i invalidated appB's session from outside why newly created session has still the same session id?
Thanks.
Do not confuse jsessionid with sessions. jsessionid is unique per container instance, where as session is per app. So, the session data won't propagate from AppA to AppB, just because the share the same jsessionid.
I use Spring Security 3 in my JSF2 webapp.
I have a security rule to provide session timeouts:
<session-management invalid-session-url="/faces/paginas/autenticacion/login.xhtml?error=1" />
So that when the session has expired and the user clicks on any link, he is redirected to the login page. In this page I check for the error param, and show a message to the user saying the session has expired.
But I have 2 problems:
(1) When I startup the app the first time (it tries to show the home page), I'm redirected to the login page saying session has expired. I think that this may be happening because the 1st time you run the app, the session is a new one, and Spring Security perhaps "thinks" he has expired (doesn't distinguish betwen a new session and a timeout).
(2) If the session has expired for anonymous users (not yet authenticated), I'm redirected to the login page timeout too. I don't want this behaviour for non-authenticated users, I just want to check the timeouts for authenticated users.
How can I solve both of these problems?
Thank you in advance.
You want to use the expired-session-url property for expired sessions, not the invalid-session-url. They are for two different things.
i'm trying to login and logout users within the tomcat/blazeDS environment. I wrote a custom Java Login Proxy to handle the login which works. As i tried to logout user i.e. invalidate Sessions i realized that the Flash Application gets a new Session Id (new Session) for every call of the AMF channel. What happens is that if i try to invalidate a session its useless because the next call will be new and valid with the same user credentials again.
How can i logout a user from a Flex Application / Tomcat context then? I cant't find good examples without custom Authentication.
Thanks
Andreas
You would have to pass the session id from Flex to the Java backend and have the backend invalidate the session to log out the user.