org.springframework.security.web.authentication.session (spring-security-docs 5.7.1 API)

Strategy interface and implementations for handling session-related behaviour for a newly authenticated user.

Comes with support for:

Protection against session-fixation attacks
Controlling the number of sessions an authenticated user can have open

Interface Summary
Interface Description

SessionAuthenticationStrategy
Allows pluggable support for HttpSession-related behaviour when an authentication occurs.

Class Summary
Class	Description
AbstractSessionFixationProtectionStrategy	A base class for performing session fixation protection.
AbstractSessionFixationProtectionStrategy.NullEventPublisher
ChangeSessionIdAuthenticationStrategy	Uses `HttpServletRequest.changeSessionId()` to protect against session fixation attacks.
CompositeSessionAuthenticationStrategy	A `SessionAuthenticationStrategy` that accepts multiple `SessionAuthenticationStrategy` implementations to delegate to.
ConcurrentSessionControlAuthenticationStrategy	Strategy which handles concurrent session-control.
NullAuthenticatedSessionStrategy
RegisterSessionAuthenticationStrategy	Strategy used to register a user with the `SessionRegistry` after successful `Authentication`.
SessionFixationProtectionEvent	Indicates a session ID was changed for the purposes of session fixation protection.
SessionFixationProtectionStrategy	Uses `HttpServletRequest.invalidate()` to protect against session fixation attacks.

Exception Summary
Exception	Description
SessionAuthenticationException	Thrown by an `SessionAuthenticationStrategy` to indicate that an authentication object is not valid for the current session, typically because the same user has exceeded the number of sessions they are allowed to have concurrently.