spring-cloud-gateway icon indicating copy to clipboard operation
spring-cloud-gateway copied to clipboard
verified publisher icon spring-cloud

Request for Multi-Session Management with Redis in Spring Cloud Gateway with @EnableRedisWebSession

Open Aravinthp66 opened this issue 3 months ago • 4 comments

I would like to request guidance or an implementation approach for enabling/disabling multi-session handling using Redis in Spring Cloud Gateway.

Specifically, we're looking to manage multiple user sessions efficiently(with a session limit) and store session data in Redis. Any recommendations on how to integrate this functionality, including configuration details or patterns to follow, would be appreciated.

Looking forward to your input!

If this feature is available, please provide the document.

Thank you!

Aravinthp66 avatar Sep 18 '25 06:09 Aravinthp66

what do you mean by "multi-session management" ?

joaquinjsb avatar Sep 22 '25 11:09 joaquinjsb

It is just a Spring Boot application afterall, so the documentation for spring boot[1] and spring session[2] are still relevant. There is also a related filter in server webflux[3.

[1] https://docs.spring.io/spring-boot/reference/web/spring-session.html [2] https://docs.spring.io/spring-session/reference/configuration/redis.html [3] https://docs.spring.io/spring-cloud-gateway/reference/spring-cloud-gateway-server-webflux/gatewayfilter-factories/savesession-factory.html

spencergibb avatar Sep 22 '25 13:09 spencergibb

what do you mean by "multi-session management" ? It means that the user can log in to multiple devices. So it will create multiple sessions for the user. For that, I want to disable the ability to create more than one session.

@Bean SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) { return http.formLogin(ServerHttpSecurity.FormLoginSpec::disable) .cors(cors -> cors.configurationSource(corsConfigurationSource())) // Enable CORS .csrf(ServerHttpSecurity.CsrfSpec::disable) .sessionManagement(sessions -> sessions .concurrentSessions(concurrency -> concurrency .sessionRegistry(sessionRegistry) .maximumSessions(authentication -> {
return Mono.just(1); // one session for all other users }) ) )

Redis Config

@Slf4j @Configuration

@EnableRedisWebSession(maxInactiveIntervalInSeconds = GatewayConstant.SESSION_TIMEOUT) public class RedisConfig {

private static final String REDIS_HOST = "localhost"; // Replace with env variable if needed
private static final int REDIS_PORT = 6379;

@Bean
@Primary
public ReactiveRedisConnectionFactory reactiveRedisConnectionFactory() {
    return new LettuceConnectionFactory(REDIS_HOST, REDIS_PORT);
}

}

When the user is already logged in, if the user tries to log in with a new device, it does not remove the old session. I kept this logic even though it created a new session.

Aravinthp66 avatar Sep 25 '25 05:09 Aravinthp66

I believe this is a configuration problem, this is better suitable for stackoverflow, check the documentation properly, for example: https://docs.spring.io/spring-security/reference/servlet/authentication/session-management.html#ns-concurrent-sessions

joaquinjsb avatar Sep 25 '25 10:09 joaquinjsb