Implementation of Concurrent Session Control

Concurrent session control is an important feature to ensure the security and integrity of data in your web application. In the context of Joget, this implementation allows controlling simultaneous user access to the platform, which can help prevent security issues and data conflicts.

Implementing concurrent session control in Joget occurs at the software development level and doesn't require direct involvement from end-users. Application developers are responsible for implementing mechanisms to manage concurrent user sessions to ensure system security and performance. End-users interact with the application as usual without taking specific actions related to concurrent session control.

Instructions

To enable this functionality in Joget, follow the steps outlined below:

Download the two attached JAR files:
- cluster-session-6.0-SNAPSHOT.jar
- spring-session-1.3.5.RELEASE.jar
Place them in a specific location within the Tomcat installation directory:
- [tomcat directory]/webapps/jw/WEB-INF/lib.

Edit [tomcat directory]/webapps/jw/WEB-INF/applicationContext.xml with the following information:

<security:http>
  <security:session-management>
    <security:concurrency-control max-sessions="1" error-if-maximum-exceeded="true" expired-url="/web/login" session-registry-ref="clusterSessionRegistry"/>
  </security:session-management>
</security:http>
<bean id="clusterSessionRegistry" class="org.joget.session.service.ClusterSessionRegistryImpl"></bean>

Uncomment the following configuration in [tomcat directory]/webapps/jw/WEB-INF/web.xml.

<!-- Uncomment this listener to support concurrent session control>
<listener>
      <listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
</listener>
<-->

Edit the following information error-if-maximum-exceeded="true" to error-if-maximum-exceeded="false" as shown below:
```
<security:session-management>
    <security:concurrency-control max-sessions="1" error-if-maximum-exceeded="false" expired-url="/web/login" session-registry-ref="clusterSessionRegistry"/>
</security:session-management>
```
If you encounter any errors during the implementation of this process, some users have had success by removing this specific part of the code:
```
session-registry-ref="clusterSessionRegistry"
```
Also, note that this implementation will create a new table in the database named "cluster_session". It's important to highlight that this implementation is not supported or officially compatible with the support provided by the product team.

Created by Julieth Last modified by Aadrian on Dec 13, 2024

Tags:

Previous Configuration NextNGINX as Proxy to Tomcat