一、简介

Session refers to the connection between the browser and the serversession交互过程

二、会话并发管理

1、What is session concurrency

当前系统中,Whether the same user can log in on multiple devices,springsecurity默认没有限制,You can log in on multiple devices,可以在springsecurity中配置管理

2、代码

引入security不做任何配置 By default, the same account can log in to access the system in multiple browsers

@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
                .anyRequest().authenticated()
                .and()
                .formLogin()
                .and()
                .csrf().disable()
                .sessionManagement()//开启会话管理
                .maximumSessions(1);//The same account can only be logged in in one browser
    }

    /**
     *找个bean可以不加,但是建议加上
     * security提供一个mapcome to protect the currenthttp session记录 Implement session concurrency management,Add one when logging in ,Removes one from the collection on exit
     */
    @Bean
    public HttpSessionEventPublisher httpSessionEventPublisher(){
        return new HttpSessionEventPublisher();
    }
}

The following prompt appears when multiple browsers are logged in

This session has been expired (possibly due to multiple concurrent logins being attempted as the same user).

Session invalidation how can we change to find a hint？

3、Handles when a session is pushed offline

3.1、传统web开发

@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
                .anyRequest().authenticated()
                .and()
                .formLogin()
                .and()
                .csrf().disable()
                .sessionManagement()
                .maximumSessions(1)
                .expiredUrl("/login");//Jump address when being squeezed offline
    }
    @Bean
    public HttpSessionEventPublisher httpSessionEventPublisher(){
        return new HttpSessionEventPublisher();
    }
}

3.2、前后端分离

@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
                .anyRequest().authenticated()
                .and()
                .formLogin()
                .and()
                .csrf().disable()
                .sessionManagement()
                .maximumSessions(1)
                .expiredSessionStrategy(event -> {
                    HttpServletResponse response = event.getResponse();
                    Map<String,Object> map = new HashMap<>();
                    map.put("code",500);
                    map.put("msg","The current account is logged in from different places");
                    String result = new ObjectMapper().writeValueAsString(map);
                    response.setContentType("application/json;charset=UTF-8");
                    response.getWriter().println(result);
                    response.flushBuffer();
                });//A parameter is a functional interface 直接用lambda处理
    }
    @Bean
    public HttpSessionEventPublisher httpSessionEventPublisher(){
        return new HttpSessionEventPublisher();
    }
}

4、禁止再次登录

The default is to be squeezed offline You can set latecomers to be unable to log in

@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
                .anyRequest().authenticated()
                .and()
                .formLogin()
                .and()
                .csrf().disable()
                .sessionManagement()
                .maximumSessions(1)
                .expiredUrl("/login")
                .maxSessionsPreventsLogin(true);//一旦登录 禁止再次登录
    }
    @Bean
    public HttpSessionEventPublisher httpSessionEventPublisher(){
        return new HttpSessionEventPublisher();
    }
}

5、Distributed session sharing

The above sessions are all passed in memorymap集中管理,Therefore, it cannot be shared in a distributed cluster system,To be used in the cluster,就要用spring-session集合redis实现session共享

引入依赖

        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-data-redis</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.session</groupId>
            <artifactId>spring-session-data-redis</artifactId>
        </dependency>

System profile configurationredis

spring.redis.port=6379
spring.redis.url=localhost

security配置

@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    //注入session管理方案
    @Autowired
    private FindByIndexNameSessionRepository findByIndexNameSessionRepository;
    
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
                .anyRequest().authenticated()
                .and()
                .formLogin()
                .and()
                .csrf().disable()
                .sessionManagement()
                .maximumSessions(1)
                .expiredUrl("/login")
                .sessionRegistry(sessionRegistry())//将sessionWho to manage
                .maxSessionsPreventsLogin(true);
    }

    /**
     * 创建session 同步到redis的方案
     */
    @Bean
    public SpringSessionBackedSessionRegistry sessionRegistry(){
        return new SpringSessionBackedSessionRegistry(findByIndexNameSessionRepository);
    }
}