如访问一些网站时登录成功后,网站可以记住用户,且在退出之前都可以识别当前用户是谁。
设置session超时时间
server:
servlet:
session:
timeout: 60 #设置超时时间60s
设置session超时之后跳转
http.sessionManagement().invalidSessionUrl("/session/invalid")
controller上加个方法,url对应/session/invalid
测试如下:
2.同一用户多个浏览器登录
http.sessionManagement().invalidSessionUrl("/session/invalid").maximumSessions(1).expiredSessionStrategy(new MyExpiredSessionStrategy())
public class MyExpiredSessionStrategy implements SessionInformationExpiredStrategy {
@Override
public void onExpiredSessionDetected(SessionInformationExpiredEvent event) throws IOException, ServletException {
HttpServletResponse response = event.getResponse();
response.setContentType("application/json;charset=UTF-8");
response.getWriter().write("并发登录");
}
}
3.阻止并发登录
.sessionManagement().invalidSessionUrl("/session/invalid").maximumSessions(1).expiredSessionStrategy(new MyExpiredSessionStrategy()).maxSessionsPreventsLogin(true)