spring security session times out

Question

I am using spring security 4.1, the issue that i face is when i try to login i am sent back to the session expired page several times. I have tried multiple things like adding my own HttpSessionListener also by adding org.springframework.security.web.session.HttpSessionEventPublisher but the session keeps expiring. I read in one of the questions the explanation for such behavior "It's possible for Spring Security to invalidate session in some cases (for example, after logging in, the user gets a new HttpSession)." I used Fiddler tool to see what is happening, i see user is authenticated but is redirected to session expired page instantly. I want to allow same user to login as many times as he wants. I also read in some places that it will help to move to spring 3.x but i assume it might be for cases when older version of spring was used. please suggest. Thank You

    <http auto-config="true" use-expressions="true"
    authentication-manager-ref="authenticationManager">
    <session-management 
    invalid-session-url="/login?eventType=sessionTimedOut" 
    session-fixation-protection="none"
    />
    <intercept-url pattern="/login" access="permitAll" />

    <intercept-url pattern="/*"     access="hasAnyAuthority('FF_USER','FF_ADMIN')" />

    <form-login login-page="/login" 
        authentication-success-handler-ref="authenticationSuccessHandler"
        authentication-failure-handler-ref="customAuthenticationFailureHandler"
        login-processing-url="/j_spring_security_check"
        username-parameter="j_username"
        password-parameter="j_password"
        />

    <logout invalidate-session="false" logout-success-url="/login?eventType=logout"
        logout-url="/j_spring_security_logout" delete-cookies="JSESSIONID"/>

    <csrf token-repository-ref="csrfTokenRepository" />

</http>

<beans:bean id="csrfTokenRepository"
    class="org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository">
    <beans:property name="headerName" value="X-XSRF-TOKEN" />
</beans:bean>

<beans:bean id="authenticationSuccessHandler" class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler">
    <beans:property name="defaultTargetUrl" value="/home"/>
    <beans:property name="alwaysUseDefaultTargetUrl" value="true"/>
</beans:bean>

<beans:bean id="customAuthenticationFailureHandler" class="*.*.CustomAuthenticationFailureHandler">
    <beans:property name="defaultFailureUrl" value="/login?eventType=error"></beans:property>
    <beans:property name="baseFailureUrl" value="/login?eventType=error"></beans:property>
</beans:bean>

<beans:bean id="authenticationManager"
    class="org.springframework.security.authentication.ProviderManager">
    <beans:constructor-arg>
        <beans:list>
            <beans:ref bean="ldapAuthenticationProvider" />
        </beans:list>
    </beans:constructor-arg>
    <beans:property name="eraseCredentialsAfterAuthentication"
        value="true" />
</beans:bean>

Answer 1

 <http>
    <logout delete-cookies="JSESSIONID" />
  </http>

Unfortunately this can't be guaranteed to work with every servlet container, so you will need to test it in your environment[8].

So you need to add a customer logout handler that implements LogoutHandler to LogoutFilter handlers.

<http auto-config="true" use-expressions="true" authentication-manager-ref="authenticationManager">
...
<custom-filter ref="logoutFilter" position="LOGOUT_FILTER" />
...
</http>


<bean id="logoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter">
        <constructor-arg name="logoutSuccessUrl" value="/login?eventType=logout" />
        <!-- implement LogoutHandler, Websphere log out -->
        <constructor-arg name="handlers" ref="{customer logout }" />
        <property name="filterProcessesUrl" value="/j_spring_security_logout" />
</bean>