Invalidating any existing session

06-Dec-2017 22:25

If you have a few years of experience in the Java ecosystem, and you're interested in sharing that experience with the community (and getting paid for your work of course), have a look at the "Write for Us" page. Eugen In this article, we’re going to illustrate how Spring Security allows us to control our HTTP Sessions.

This control ranges from a session timeout to enabling concurrent sessions and other advanced security configs.

There are a number of ways to handle session tracking, but our focus is on the easy-to-use yet powerful Http Session interface provided by the Java Servlet specification.

Before we get into the Http Session interface, let's look at some other ways of maintaining state.

Another way of handling session tracking is the use of the HTML hidden field: This technique required server-side scripting that would dynamically generate the HTML code that contained the "user" field.

Server-side code was also required to read the field and match it to information about this user on the server.

The first step in enabling the concurrent This is essential to make sure that the Spring Security session registry is notified when the session is destroyed.

Another session-tracking technique is URL rewriting. In this approach, identification field(s) are appended to the end of each URL for a Web site.

The following HTML code demonstrates this method: This approach is similar to hidden fields.

Session-Tracking Techniques At one time Web developers used Web site visitors' IP addresses to track the sessions. The main problem was that proxy servers eliminated the use of individual IP addresses.

Users no longer had unique addresses, so this technique couldn't work properly.

Also, the Spring Reference contains a very good FAQ on Session Management.