春季4 - 会话管理
[英]Spring 4 - Session Management
问题描述
Helle everyone, 
帮助大家,
i am currently running an enterprise spring web application inside our company deployed on a tomcat 8 server. 我目前在部署在tomcat 8服务器上的公司内运行企业Spring Web应用程序。
Now, some users report that sometimes they can't connect as an login-error is shown on login page. 现在,一些用户报告有时他们无法连接,因为登录页面上显示登录错误。
And well, that's why: 好吧,这就是原因:
my session-configuration is set up like this: 我的session-configuration设置如下:
<session-management>
<concurrency-control max-sessions="5"
error-if-maximum-exceeded="true" expired-url="/login"
session-registry-alias="sessionRegistry"/>
</session-management>
<form-login login-processing-url="/login"
login-page="/login"
authentication-failure-url="/login_error" />
<logout logout-url="/logout" logout-success-url="/login"
invalidate-session="true"/>
the session-timeout is set to 4 hours: session-timeout设置为4小时:
<session-timeout>240</session-timeout>
- when a user requests the login-page a session with a csfr-token is stored server-side. 当用户请求登录页面时,在服务器端存储带有csfr-token的会话。
- when a user logout, his session is invalidated and he is redirected to the login-page as a new session with csfr-token is stored again server-side. 当用户注销时,他的会话无效并且他被重定向到登录页面作为新会话,csfr-token再次存储在服务器端。
- when a user has already 5 sessions (different browsers, devices, weird client-behaviour) and tries to login a 6th time - the login is denied, because the session-maximum is exceeded. 当用户已经有5个会话(不同的浏览器,设备,奇怪的客户端行为)并尝试登录第6次时 - 登录被拒绝,因为超出了会话最大值。
Now in a worst case, there are 5 sessions with only csrf-token stored server-side with let's say an avg. 现在在最坏的情况下,有5个会话只有csrf-token存储在服务器端,让我们说平均值。 lifetime of 3 hours, blocking the user from connecting again. 寿命为3小时,阻止用户再次连接。
please, can someone tell me that there is a better solution than: 请有人告诉我,有一个更好的解决方案:
max-sessions="biggerNumber"
and Thanks for reading anyway... 并感谢您阅读...
2 个解决方案
解决方案1
3 已采纳 2016-06-24 11:34:32
You have 2 possibilities that you can combine: 您有两种可以组合的可能性:
- increase the number of concurrent sessions 增加并发会话数
- decrease the session timeout (30 minutes is already large) 减少会话超时(30分钟已经很大)
But you have also a more radical way: change the policy in order not to reject the new connection but revoke the oldest one. 但你也有一种更激进的方式:改变策略,以便不拒绝新连接,但撤销最旧的连接。 It is allowed out of the box by spring-security, just remove error-if-maximum-exceeded="true" from the concurrency-control tag: 弹出安全性允许开箱即用,只需从concurrency-control标记中删除error-if-maximum-exceeded="true" :
<session-management>
<concurrency-control max-sessions="5"
expired-url="/login"
session-registry-alias="sessionRegistry"/>
</session-management>
解决方案2
0 2016-06-24 10:48:33
I checked the spring documentation below and tested. 我检查了下面的弹簧文档并进行了测试。
http://docs.spring.io/spring-security/site/docs/current/reference/html/session-mgmt.html#concurrent-sessions http://docs.spring.io/spring-security/site/docs/current/reference/html/session-mgmt.html#concurrent-sessions
It turns out that you have to add this in your web.xml 事实证明,您必须在web.xml中添加它
<listener>
<listener-class>
org.springframework.security.web.session.HttpSessionEventPublisher
</listener-class>
</listener>
This listener will delete the session connected to principal instance when logging out. 注销时,此侦听器将删除连接到主体实例的会话。 Otherwise, the session is still connected to principal instance even after logging out. 否则,即使在注销后,会话仍然连接到主体实例。 So that's why you'll keep get the error " Maximum sessions of XX for this principal exceeded". 这就是为什么你会继续得到错误“超过此委托人的XX的最大会话数”。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.