session management

Spring Security It can be done with Spring Session Library with the use of , You only need to do some simple configuration to realize some functions , Such as ( Session expiration, 、 Only one account can be online at the same time 、 colony session etc. )

1、  session time out

To configure session Session timeout , The default is 30 minute , however Spring Boot The session timeout in is at least 60 second

#session Set up
# To configure session Timeout time
server.servlet.session.timeout=60 

When session After a timeout , By default, jump to the login page （ Default mode ） 

Custom Settings session Address after timeout  

Set up session Management and post failure jump address  

http.sessionManagement()        // Set up session management
        .invalidSessionUrl("/toLoginPage")        // session Invalid jump path , The default is the login page  

2、 concurrency control  

Concurrency control refers to the number of online users of the same account at the same time , If the number of simultaneous online accounts of the same account is set to 1 Express , This account can only have one valid login at a time , If the same account is logged in elsewhere , Then expire the last login session , That is, the later login will kick out the previous login

2.1、 Modify timeout

#session Set up
# To configure session Timeout time
server.servlet.session.timeout=600 

2.2、 Set the maximum number of sessions  

http.sessionManagement() //  Set up session management 
                .invalidSessionUrl("/toLoginPage") // session The path to jump after failure 
                .maximumSessions(1)// session Maximum number of sessions  1 Represents that only one user can log in at a time 
                .maxSessionsPreventsLogin(true) //  Maximum number of sessions reached , Stop logging in 
                .expiredUrl("/toLoginPage"); // session The path to jump after expiration 

2.3、 Prevent users from logging in a second time

sessionManagement You can also configure maxSessionsPreventsLogin：boolean value , When reach maximumSessions Block login when setting the maximum number of sessions . 

3、 colony session

In the actual scenario, a service will have at least two servers providing services , There will be a in front of the server nginx Load balancing , User access nginx,nginx Then decide which server to access . When a service goes down , Another server can also continue to provide services , Guarantee uninterrupted service . If we were to session Save in Web Containers ( such as tomcat) in , If a user is assigned to the server for the first time 1 You need to log in , When some access is suddenly assigned to server 2 , Because there is no user login session on server 1 on server 2 session Information , Server 2 will also let users log in again , If the user has logged in, it will feel abnormal . 

The idea to solve this problem is that the session information logged in by the user can no longer be saved to Web Server , Instead, save to a separate library (redis、mongodb、jdbc etc. ) in , All servers access the same library , Get the user's information from the same library session Information , If the user logs in on the server , Save the session information to the library , The user's next request is assigned to server 2 , Server 2 checks from the Library session Does it already exist , If it exists, you don't have to log in anymore , You can access the service directly . 

3.1、 Citation depends on

<!--  be based on redis Realization session share  -->
<dependency>
    <groupId>org.springframework.session</groupId>
    <artifactId>spring-session-data-redis</artifactId>
</dependency>

3.2、 Set up session Storage type  

# Use redis share session
spring.session.store-type=redis

3.3、 test

• Use one of these services to log in http://localhost:8080/login
• Use another service to access any interface , Then you can access directly without logging in again