- Sprint Security - Home
- Spring Security - Introduction
- Spring Security - Architecture
- Spring Security - Project Modules
- Spring Security - Environment Setup
- Spring Security - Form Login
- Spring Security - Custom Form Login
- Spring Security - Logout
- Spring Security - Remember Me
- Spring Security - Redirection
- Spring Security - Taglibs
- Spring Security - XML Configuration
- Spring Security - Authentication Provider
- Spring Security - Basic Authentication
- Spring Security - AuthenticationFailureHandler
- Spring Security - JWT
- Spring Security - Retrieve User Information
- Spring Security - Maven
- Spring Security - Default Password Encoder
- Spring Security – Password Encoding
- Spring Security - Methods Level
- Spring Security - Manual Authentication
- Spring Security - Extra Login Fields
- Spring Security - Prevent Brute Force
- Spring Security - Login Page with React
- Spring Security - Security Filter Chain
- Spring Security - Securing Spring Boot API
- Spring Security - Expressions
- Spring Security - Security none, Filters none, access permitAll
- Spring Security - Control the Session
- Spring Security Useful Resources
- Spring Security - Quick Guide
- Spring Security - Useful Resources
- Spring Security - Discussion
Spring Security - Session Management
Session Management is a very critical part of any system. We can decide which user can stay logged in, how many parallel logins are allowed, when a user times out or logs out. Spring Security provides various options to control session effectively.
Session Creation
We can configure in SecurityFilterChain the session creation. Following are the various options while using SessionCreationPolicy.
ALWAYS − Session is created if not present.
IF_REQUIRED − Session is created if required. It is the default option. After authentication of user, its corresponding session is created.
NEVER − A new session is not created for user. if session is present, than that will be reused.
STATELESS − Session is neither created nor present. Ideal for REST APIs, JWT based authentication.
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
return http.sessionManagement(
httpSecuritySessionManagementConfigurer -> httpSecuritySessionManagementConfigurer
.sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
.build();
}
Concurrency Control
It is often required to prevent user from logging into system using multiple device at a time making multiple sessions active for same user. We can use concurrency control to achieve the same.
.maximumSession(n) − limits number of active sessions per user.
.maxSessionsPreventsLogin(true) − true is passed to block second login attempt if user is logged in. By default, value is false which means a new session is created and existing one is set as expired.
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
return http.sessionManagement(
httpSecuritySessionManagementConfigurer -> httpSecuritySessionManagementConfigurer
.sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
.maximumSession(1) // one session per user
.build();
}
Prevention of Session Fixation Attack
Session Fixation is a kind of attack where hacker sets the session id before user logs in. To prevent such security lapse, spring security allows to create a new session when a user authenticates or by changing the session id each time user authenticates.
.changeSessionId() − session id changes keeping other attributes intact when user authenticates.
.newSession() − a new session is created, other attributes vanish.
.none() − no action taken. Not recommended.
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
return http.sessionManagement(
httpSecuritySessionManagementConfigurer -> httpSecuritySessionManagementConfigurer
.sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
.maximumSession(1) // one session per user
.changeSessionId()
.build();
}
Invalid Session/Timeout
It is always advised to send user to a valid page when session is expired or become invalid.
.invalidSessionUrl(url) − redirects user to a page if session is invalidated.
.expiredUrl(url) − redirects user to a page if session is expired.
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
return http.sessionManagement(
httpSecuritySessionManagementConfigurer -> httpSecuritySessionManagementConfigurer
.sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
.maximumSession(1) // one session per user
.invalidSessionUrl("/login?invalid=true")
.expiredUrl("/login?expired=true")
.build();
}