Bad session counting block user login after three session created
The way http sessions are created and counted is not correct and can even lead to blocking an user from login:
What works: when an user is login, he can open new tabs (for example with middle-clicking on a link) on rudder and the session if correctly shared.
What does not work:
- log-in for a first time in tab1;
- in the same browser, open a new tab (tab2), go to the log-in page
- your are not redirected to the dashboard page (you should)
- log-in with the same user
- tab1 is delogged and come back to the login page
This is the behavior experienced in Rudder 4.1.
But it get worse:
- in tab1 or tab3, go to the loggin page and try to log-in
- tab2 is delogged,
- but there is ALSO a login error in tab1 (or tab3) saying that the maximum number of concurrent session is reached for that user.
- at that point, we didn't find a way for the user to be able to log again but to restart webapp.
So, it seems that:
1/ there is missing linked between current browser / user login status
2/ user session are not correctly destroyed in the mind of spring-security (or the couting is not correct).
At least the dead lock state is critical.
Fixes #12367: Bad session counting block user login after three session created
Updated by Alexis MOUSSET almost 2 years ago
- Status changed from Pending release to Released