在Spring Security中手动过期（无效）后，会话不会被销毁

Question

I am writing code of a game (web application) where I want to implement the following strategy. The user is allowed to login once. The second login results in warning message and a choice: to leave or to insist on logging in. If the user opts for logging in then all his previous sessions are to be expired. It works well thanks to Spring Security facilities:

public class SecurityConfiguration extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { ... .formLogin() .failureHandler(new SecurityErrorHandler()) .and() .sessionManagement() .maximumSessions(1) .maxSessionsPreventsLogin(true) ...

In case of the second login because of maxSessionsPreventsLogin(true) an exception is thrown. Then SecurityErrorHandler catches it and exercises redirection to the warning page:

public class SecurityErrorHandler extends SimpleUrlAuthenticationFailureHandler {

@Override
public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response, AuthenticationException exception) throws IOException, ServletException {
    if (exception.getClass().isAssignableFrom(SessionAuthenticationException.class)) {
        request.getRequestDispatcher("/double_login/"+request.getParameterValues("username")[0]).forward(request, response);   //...the rest of the method

Until now everything is ok. If despite of warning the user choices to login the second time (he has probably closed browser without logging out with the first session going on unmanageably or so) he presses a button and then the controller calls the special service for making the previous sessions expired for this user (using his logged in username):

 public void expireUserSessions(String username) {
        for (Object principal : sessionRegistry.getAllPrincipals()) {
            if (principal instanceof User) {
                UserDetails userDetails = (UserDetails) principal;
                if (userDetails.getUsername().equals(username)) {
                    for (SessionInformation information : sessionRegistry.getAllSessions(userDetails, true)) {
                        information.expireNow();
                    }
                }
            }
        }
}

Moreover there is a SessionEventListener which (it doesn't matter because of logout, or natural expiring, or forced expiring by 'information.expireNow()') observes a session destroying event and implements a specific logic, such as saving user's persistent data, clean caches and so). This logic IS CRITICAL. The code which does it is the following:

public class SessionEventListener extends HttpSessionEventPublisher {

@Override
public void sessionCreated(HttpSessionEvent event) {
    super.sessionCreated(event);
    event.getSession().setMaxInactiveInterval(60*3);
}

@Override
public void sessionDestroyed(HttpSessionEvent event) {
    String name=null;
    SessionRegistry sessionRegistry = getSessionRegistry(event);
    SessionInformation sessionInfo = (sessionRegistry != null ? sessionRegistry
            .getSessionInformation(event.getSession().getId()) : null);
    UserDetails ud = null;
    if (sessionInfo != null) {
        ud = (UserDetails) sessionInfo.getPrincipal();
    }
    if (ud != null) {
        name=ud.getUsername();
        //OUR IMPORTANT ACTIONS IN CASE OF SESSION CLOSING 
        getAllGames(event).removeByName(name);
    }
    super.sessionDestroyed(event);
}



public AllGames getAllGames(HttpSessionEvent event){
    HttpSession session = event.getSession();
    ApplicationContext ctx =
            WebApplicationContextUtils.
                    getWebApplicationContext(session.getServletContext());
    return (AllGames) ctx.getBean("allGames");
}

public SessionRegistry getSessionRegistry(HttpSessionEvent event){
    HttpSession session = event.getSession();
    ApplicationContext ctx =
            WebApplicationContextUtils.
                    getWebApplicationContext(session.getServletContext());
    return (SessionRegistry) ctx.getBean("sessionRegistry");
}

}

Then the hell happens. Despite my expectations the event for 'sessionDestroyed' method occurs not immediately after session expiring but ONLY AFTER THE USER LOGS IN FOR THE SECOND TIME (it is allowed as his previous session is expired by that moment, but to my surprise, this previous session isn't destroyed by Spring Security until now). So the logic implemented in the service 'getAllGames(event).removeByName(name)', which is called from 'sessionDestroyed', happens too late and, what is worse, after the user logs in for the second time. It breaks the logic.

I can implement different workarounds and so to say crutches. But please, if somebody know how to solve it directly, I would like you to advice me.

Remarks. I have called 'session.invalidate()' but it was also of no avail.

It is important for the already embodied logic that 'sessionDestroyed' in the SessionEventListener is triggered timely (immediately after session is expired). And frankly I don't know how to make it happens in the right and straightforward way.

I would appreciate your help and advice.

Answer 1

The only answer I'v found by myself was the following. An expired session is still not destroyed until the next HTTP request is sent within this session. Thus to kill an expired session you need to simulate such a request on behalf of the session. I have done it by creating and calling the following method:

 void killExpiredSessionForSure(String sessionID) {

            //sessionID - belongs to a session you want to kill
            HttpHeaders requestHeaders = new HttpHeaders();
            requestHeaders.add("Cookie", "JSESSIONID=" + sessionID);
            HttpEntity requestEntity = new HttpEntity(null, requestHeaders);
            RestTemplate rt = new RestTemplate();
            rt.exchange("http://localhost:8080", HttpMethod.GET, requestEntity, String.class);          
 }

After this method is called the event 'sessionDestroyed' is properly issued and handled, and an expired session no longer exists.