Spring Security doesn’t kill session when browser closes

browsersessionspring-security

I am using Spring Security 3.1 and am using 

 <concurrency-control max-sessions="1" error-if-maximum-exceeded="true" />
  • I open a browser and log in (Ex. IE9)
  • I close that browser
  • I open a different browser (Ex. Firefox)
  • I cannot log in because I am still logged in on the other browser

Is there a way to force the session to close when the browser closes? I need to keep the max-sessions to 1 for concurrency control.

Thanks!

Best Answer

I would add a custom filter of my own just before the "CONCURRENT_SESSION_FILTER" and check in the request URI for a string like "force-logout.do" (or something similar).

Then, in the HTML generated I would have a JavaScript event handler like the following:

<script type="text/javascript">
function force_logout() {
  // AJAX request to server notifying that the browser has been closed.
}
</script>

<body onbeforeunload="force_logout();">
</body>

That would work for IE and Firefox (you should check other browsers as well). Your filter just needs to check the URI and perform a session.invalidate() in case it matches the "force logout URI" and return immediately or just bypass the request to the filter chain otherwise.

NOTE: I'm not adding the AJAX code since I don't know if you are using a specific AJAX framework. With prototype.js it would be fairly simple.

Related Topic