Is it possible to invalidate a httpsession from another session using session id?

Question

Consider this scenario

User adam logins into websiteA using webbrowserA with emailid adam@web.com a session is created here and session id is stored in database

Then, User adam logins into websiteA using webbrowserB with emailid adam@web.com a session is created here and session id is stored in database

when User adam logins using webbrowserB, i need to invalidate the session that was created using webbrowserA (assuming session in webbrowserA is active). how to invalidate the session created using webbrowserA using it's sessionid or other possible ways?

Technology: Java,SpringMVC,Sqlserver2008

Answer 1

Spring Security具有并发会话控制功能 ，可以满足您的要求。

Answer 2

There is no direct way to invalidate a session from another session. But you can store in a ServletContext attribute a list of session ids that should no longer be accepted.

Then you can just use a filter that for each request tests whether the current session exists and belongs to that list. If it does, you can then invalidate it from the filter.

For your use case, the simplest way IMHO would be to keep in a ServletContext attribute a HashMap<String, Integer> mapping the current session id for a user mail, and to store in every session (in a session attribute) the email of the user - For that, you just need to update those attributes after each successful login.

The you use a filter that tests whether the current session is already connected (contains an email) and whether the id is the registered id for that email. If it is not the registered id, the filter invalidates the session and redirects to the login page (or to a page explaining that the session has been closed because of another login with same id)

That's more or less what Spring security can do automagically for you if you use concurrent session control as said by @bernie.