Closed rwinch closed 9 months ago
goosmurf
commented
4 years ago Could this issue be prioritised given that it has security implications?
Consider that if a user's account is compromised (e.g. through cookie or other credential theft) it's typically expected that a password change would also have the effect of (optionally) invalidating all existing sessions.
Without this interface it's difficult to properly address session hijacking.
igorbolic
commented
3 years ago Are there any plans of when ReactiveFindByIndexNameSessionRepository will be available?
Are there any guidelines of how someone could achieve the same functionality (invalidation & cleanup of all principal sessions) before this is released?
yangdq1
commented
2 years ago Are there any plans of this issue? @vpavic @rwinch
rwinch
commented
2 years ago Not at this time
adamalexandru4
commented
2 years ago Could anyone please provide at least a workaround in the meantime ?
HJK181
commented
1 year ago 5 years, and still nothing.
ChiragMoradiya
commented
1 year ago We also encountered this issue. All of our micro-services are on Webflux, and we can't use this feature to invalidate all sessions of a User, when needed.
marcusdacoregio
commented
1 year ago Hi everyone, I'll be revisiting this issue as soon as https://github.com/spring-projects/spring-security/issues/6192 is complete in order to integrate Spring Session WebFlux with the concurrent sessions control.
marcusdacoregio
commented
9 months ago Hi everyone, this has been closed via https://github.com/spring-projects/spring-session/issues/2700. This first implementation is based on Redis, please try it out and report any bugs or improvements suggestions.
A reactive equivalent to
FindByIndexNameSessionRepository