I have a web application running on Spring Webflow with Spring Security. I have a problem logging out because my app kinda remembers the last page after logging out. When I press back or directly paste the URL to the address bar it can direct the page to the login page, but if I login it will go directly to the last page I went to before logging out. It tends to remember its last state. Below is my application-config snippet.
<security:logout logout-url="/logout.do" invalidate-session="true"
logout-success-url="/logoutSuccess.do" />
Link in my page
#{label.labellogout}
The expired-url attribute
The URL a user will be redirected to if they attempt to use a session which has been "expired" by the concurrent session controller because the user has exceeded the number of allowed sessions and has logged in again elsewhere. Should be set unless exception-if-maximum-exceeded is set. If no value is supplied, an expiry message will just be written directly back to the response.
Sounds like your session is still valid after an Logout. try to make it invalid after logout.
Text is from:
Spring Doc
Not sure that I correctly understand your problem but:
B.1.1.4. session-fixation-protection
Indicates whether an existing session should be invalidated when a user authenticates and a new session started. If set to "none" no change will be made. "newSession" will create a new empty session. "migrateSession" will create a new session and copy the session attributes to the new session. Defaults to "migrateSession".
If enabled this will add a SessionFixationProtectionFilter to the stack. The session fixation protection options on namespace-created instances of AbstractProcessingFilter will also be set appropriately.
Can be read here link
Related
I have a node application and users need to login. We don't want to refresh the page after logging them in. The problem is we cannot add their sockets by their user id if not refreshed. I'm thinking if there are some alternatives for this, rather than refreshing the page.
I found out that socket id is saved in cookies. I just get it from the cookies after login then saved it to usersSocketList. This solved my problem.
I am using Spring Security 3.1 to handle login authentication, session timeouts and maximum sessions.
Also I am deleting cookies only on logout.
<logout delete-cookies="JSESSIONID" logout-success-url='logout page' />
Also I have set maximum sessions to 1 as of now for testing.
When I open my webpage in browser, it stores jsession id in cookie but the problem starts when I exit and reopen my browser. At this time I cannot find any cookies in the browser, they get deleted that is why I am not getting redirected to welcome page(page after login).
But when I login again, it shows an error message that I am printing:-number of sessions exceeded.
This possibly means that session remains alive on server side but it gets deleted from the cookie on client side due to which I neither see the welcome page nor am able to login on the login page.
What else I need to do so that cookies remain there in the browser till the session times out? I have set session timeout to 10 days
This is normal behaviour. JSESSIONID cookies are only valid for the lifetime of a browser session so are gone when you close your browser. This isn't something you can change.
There is no connection between the browser's perception of a session and the lifetime of a session on the server. Unless you actually log out, the server session is still there until it times out and is removed by the server (10 days in your case). Until that happens, trying to log in again will exceed the number of allowed sessions.
If you want to stay logged in for 10 days, you might want to look at using remember-me cookies rather than the standard servlet container session.
Unless you have a definite requirement for restricting the number of concurrent sessions a user can have, I would avoid using that as it will just cause you problems. You haven't actually shown your configuration for this, but there are really just two options. Either a user can log back in again and the previous session will be marked as expired, or attempting to log in a second time will cause an error until the previous session has timed out, or the user logs out to explicitly invalidate it. The behaviour is controlled by the error-if-maximum-exceeded namespace attribute.
In our code we reset session info when the user logs in, so that a new session id is generated. The session info is reset in the application controller during the process of logging in. That reset clears the session id that came in with the login request.
I am unable to determine when a new session id is then generated. Any ideas? THANKS
Sessions are lazily loaded. If you don’t access sessions in your
action’s code, they will not be loaded. Hence you will never need to
disable sessions, just not accessing them will do the job.
From http://guides.rubyonrails.org/action_controller_overview.html#session
Meaning as soon as you access the session hash in your code it will be generated.
When the same user log in using different browsers/machines concurrently,user is allowed to login by same credential
With Spring security concurrent session control this can be easily handled by the following configuration in security.xml file:
<concurrent-session-control max-sessions="1" exception-if-maximum-exceeded="true"/>
Problem: After successful login, user shall be blocked to login again from any other browser/machine, if he close the browser window without clicking logout button. He may be restricted for an session timeout interval.
After successful login, user shall be blocked to login again from any other browser/machine, if he close the browser window without clicking logout button
Yes. This is what the <concurrent-session-control max-sessions="1" does.
If you don't want the user to be locked out you need to set max-sessions="2".
Or.
On a successful login you can set a cookie which lives forever and identifies the user browser. So when you get a login request with a different cookie but same username you can invalidate the previous user session and let the new user in.
I've got a Rails 3.0.9 application using Devise 1.4.9. I'm having a bit of a problem with the login screens. I think I understand the problem as I've previously fixed a similar issue in a C application. But this time I'm just using devise so it is harder to just fix the source code ...
The basic pattern is I log out of the application, which takes me to a URL such as this: http://10.0.0.25:3000/devise/users/sign_in
I then go home and come back to work the next day, with the above address still open in the browser. I type in the password, but I just get a message saying my session has expired, and I have to re-enter the password.
Making an educated guess, when the user is shown the sign_in page, devise creates a new session which is not currently logged in. When the user submits the page, devise checks the session exists, and then checks the credentials. For security reasons, the credentials will not work for an expired (or unknown) session.
The fix in the C application was to allow a very long timeout for sessions that had never been logged in. Once a session is logged in, it does need to be logged out after an inactivity delay that is relatively short, so just changing config.timeout_in wouldn't be enough.
EDIT: I've noticed by messing around with the timeout set down to 1 minute that the not-logged-in session timeout does not change to one minute (in fact I haven't really noticed whether it has changed at all...) So there must be something else that does this.
Also I realised when a session is not logged in, there is no time stored within the session cookie, so I don't even know exactly how the server determines the session age (I don't have a server-side sessions table).