|
|
@@ -534,6 +534,13 @@ public class MaximumSessionsPreventLoginTests {
|
|
|
If you are using a customized authentication filter for form-based login, then you have to configure concurrent session control support explicitly.
|
|
|
You can try it using the {gh-samples-url}/servlet/spring-boot/java/session-management/maximum-sessions-prevent-login[Maximum Sessions Prevent Login sample].
|
|
|
|
|
|
+[NOTE]
|
|
|
+=====
|
|
|
+If you are using a custom implementation of `UserDetails`, ensure you override the **equals()** and **hashCode()** methods.
|
|
|
+The default `SessionRegistry` implementation in Spring Security relies on an in-memory Map that uses these methods to correctly identify and manage user sessions.
|
|
|
+Failing to override them may lead to issues where session tracking and user comparison behave unexpectedly.
|
|
|
+=====
|
|
|
+
|
|
|
== Detecting Timeouts
|
|
|
|
|
|
Sessions expire on their own, and there is nothing that needs to be done to ensure that a security context gets removed.
|
Josh Cummings