Closed rwinch closed 9 months ago
Could this issue be prioritised given that it has security implications?
Consider that if a user's account is compromised (e.g. through cookie or other credential theft) it's typically expected that a password change would also have the effect of (optionally) invalidating all existing sessions.
Without this interface it's difficult to properly address session hijacking.
Are there any plans of when ReactiveFindByIndexNameSessionRepository
will be available?
Are there any guidelines of how someone could achieve the same functionality (invalidation & cleanup of all principal sessions) before this is released?
Are there any plans of this issue? @vpavic @rwinch
Not at this time
Could anyone please provide at least a workaround in the meantime ?
5 years, and still nothing.
We also encountered this issue. All of our micro-services are on Webflux, and we can't use this feature to invalidate all sessions of a User, when needed.
Hi everyone, I'll be revisiting this issue as soon as https://github.com/spring-projects/spring-security/issues/6192 is complete in order to integrate Spring Session WebFlux with the concurrent sessions control.
Hi everyone, this has been closed via https://github.com/spring-projects/spring-session/issues/2700. This first implementation is based on Redis, please try it out and report any bugs or improvements suggestions.
A reactive equivalent to
FindByIndexNameSessionRepository