Spring Security allows you to manage sessions on your server with only some configuration. Some of the most important session management activities are listed here:
- Session creation: This decides when a session needs to be created and the ways in which you can interact with it. In the Spring Security configuration, put in the following code:
http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.ALWAYS);
There are four session creation policies that you can choose from. They are as follows:
-
- ALWAYS: Always create a session if it doesn't exist.
- IF_REQUIRED: If required, a session is created.
- NEVER: This will never create a session; rather, it will use the session if it exists.
- STATELESS: No session will be created nor used.
- invalidSession: This controls how the user is intimated if the server sees an invalid session:
http.sessionManagement().invalidSessionUrl("/invalidSession");
- Session timeout: This controls how the user is intimated if the session has expired.
- Concurrent session: This allows control over how many sessions a user can start in an application. If the maximum sessions is set as 1, when the user logs in for the second time, the previous session is invalidated and the user is logged out. If the value specified is greater than 1, the user is allowed to have that many sessions concurrently:
http.sessionManagement().maximumSessions(1);
The following screenshot shows the default error screen, that pops up when more than the desired amount of sessions (as configured) are created by the same user:
Figure 5: Error thrown when a user accesses multiple sessions
- Session fixation: This is very similar to concurrent session control. This setting allows us to control what will happen when a new session is initiated by a user. We can specify the following three values:
- migrateSession: On the creation of a new session after successful authentication, the old session is invalidated and all attributes are copied to the new session:
http.sessionManagement().sessionFixation().migrateSession();
- newSession: A new session is created without copying any of the attributes from the previous valid session:
http.sessionManagement().sessionFixation().newSession();
- none: The old session is reused and is not invalidated:
http.sessionManagement().sessionFixation().none();