• To control session creation using spring security, configure create-session attribute with the following options
    – Always: Always creates a session if it does not exist
    – ifRequired (Default): Creates session when required
    – Never: Spring security will not create sessions but will use session created by application
    – Stateless: Application will not create or use session

Example: JAVA Configuration

Example: XML Configuration

Restricting Concurrent Sessions per User using Spring Security

  • Concurrent sessions for each user can be controlled using Spring Security

Vulnerable Code

  • Enables attackers to login at the same time as the user and perform attacks

Secure Code

  • Prevent attackers to perform attacks when a user is logged in

Restricting Concurrent Sessions per User using Spring Security (Cont’d)

  • To enable concurrent session-control
  • Enabling concurrent sessions makes sure to notify the spring security session registry that the session is destroyed

Enabling Concurrent Session-control

  • Include the following listener in the web.xml

Example: Control Concurrent Sessions JAVA Configuration

Example: Bean for enabling Concurrent Session-control

Controlling Session Timeout