Rudder

The way http sessions are created and counted is not correct and can even lead to blocking an user from login:

What works: when an user is login, he can open new tabs (for example with middle-clicking on a link) on rudder and the session if correctly shared.

What does not work:

- log-in for a first time in tab1;
- in the same browser, open a new tab (tab2), go to the log-in page
- your are not redirected to the dashboard page (you should)
- log-in with the same user
- tab1 is delogged and come back to the login page

This is the behavior experienced in Rudder 4.1.

But it get worse:

- in tab1 or tab3, go to the loggin page and try to log-in
- tab2 is delogged,
- but there is ALSO a login error in tab1 (or tab3) saying that the maximum number of concurrent session is reached for that user.
- at that point, we didn't find a way for the user to be able to log again but to restart webapp.

So, it seems that:

1/ there is missing linked between current browser / user login status
2/ user session are not correctly destroyed in the mind of spring-security (or the couting is not correct).

At least the dead lock state is critical.