Description
I am not good at English. So, please forgive my grammatical mistakes.
I have a problem while config HttpSecurity.sessionManagement().maximumSessions(1). I hope a user only have one valid session at the same time.
If I login at browser A,and then login at browser B. It's run perfect and session in browser A will invalid.
But if I login at browser A, then login at browser A(
In other words, I'm called the /login interface twice in the same browser.), then login at browser B. I found both browsers can access the restricted interfaces.
I viewed source code, found there have three SessionAuthenticationStrategy: ConcurrentSessionControlAuthenticationStrategy, ChangeSessionIdAuthenticationStrategy, RegisterSessionAuthenticationStrategy. I tried to debug with source code and the following happened:
While the second time login at browser A, ConcurrentSessionControlAuthenticationStrategy find the same sessionId, so it do noting. But ChangeSessionIdAuthenticationStrategy change sessionId into a new sessionId, and RegisterSessionAuthenticationStrategy think it's a new session and store. so there is two session in session registry.
Did I miss some configuration to resolve this problem?
My spring security version is 5.1.5.RELEASE. Think you very much!