When the session is invalid, this class will make redirect request to page specified in private final String destinationUrl field. ... . 1.2 concurrency-control. The redirect can be made with the same session id or with a new one. In order to close and invalidate the session on the server side, it is mandatory for the web application to take active actions when the session expires, or the user actively logs out, by using the functions and methods offered by the session management mechanisms, such as HttpSession.invalidate() (J2EE), Session.Abandon() (ASP .NET) or session_destroy()/unset() (PHP). This is achieved through the session-management element: これは、 session-management 要素を通じて実現できます。.

(invalid-session-url 이 있을경우 invalid-session-url 로 이동)) 만약 두번째 인증을 거부하게 하고 싶은 경우 concurrency-control에 error-if-maximum-exceeded="true"속성을 지정하면 된다. < sec: session-management invalid-session-url = " /error/invalidSession " /> 上記のように invalid-session-url を設定した場合は、セッションが不当な場合に指定 URL へ遷移する。 Spring security session配置中如果配了如下的invalid-session-url，配置了permitAll链接首次链接系统时会跳转到登录页，将该配置删除即可解决此问题。java Spring Security通过http元素下的子元素session-management提供了对Http Session管理的支持。 除外パスの指定 ¶

Spring security provides the attributes to avoid the session fixation. . 要素の invalid-session-url 属性に、無効なセッションを使ったリクエストを検知した際のリダイレクト先のパスを指定する。 6.5.2.5.3. 1.1 检测session超时. 1.3 session 固定攻击保护 . Note that if you use this mechanism to detect session timeouts, it may falsely report an error if the user logs out and then logs back in without closing the browser. The value of this field can be set as invalid-session-url attribute of tag.

In session-management namespace, there is an attribute session-fixation-protection that will handle session fixation.