Another very interesting feature that Spring provides is to manage the HTTP session. It facilitates to take decisions about the session timeout, how many concurrent sessions an authenticated user can handle, and session fixation protection. It also prevents the user from concurrently authenticating the application from more than one instance. This feature helps in preventing a user from sharing his username to access the product from multiple locations. The session management will be handled by SessionManagementFilter and SessionAuthenticationStrategy. Let's first find out how the Spring Session management is different from the traditional HTTP session management:

• Problems handling multiple accounts: Usually, many of us have more than one account: one for personal use and another for official use. If the application tracks the user to find whether he is currently logged in or not using HttpSession, we have to log out of one account and then log in to the other account. The Spring Framework enables us to configure multiple sessions per user, where the user doesn't have to be logged out from one account to login in to another.
• Multiple sessions per login: Security management is a role-based mechanism where each user is assigned a role. Sometimes, a user may have more than one role, and each of these roles provides him with a different privilege that is more than the other. Let's say, a user has the role of User and Admin. It's a bit obvious that the content available to both, Admin and the User will be different; also, Admin will have access to almost everything, but User will not. The traditional session management stores the current user and its role in session. However, each session maintains a single user login, which makes it difficult to maintain multiple roles. Users need to login from one account to use another role. Spring facilitates to create multiple sessions per log in that will be completely independent of each other.
• Accessing session data: The applications provide multiple ways to access data, such as REST API and AMQP. The problem is when the thread executing the message tries to access HttpSession, the developers need to come up with a customized solution. Spring provides APIs that enables retrieving session information using its ID.