0
# Session Management
1

2
Spring Security Web's session management provides HTTP session security controls including concurrent session management, session fixation protection, and invalid session handling.
3

4
## Core Session Management Components
5

6
```java { .api }
7
public class SessionManagementFilter extends GenericFilterBean {
8
    public void setInvalidSessionStrategy(InvalidSessionStrategy invalidSessionStrategy);
9
    public void setSessionInformationExpiredStrategy(SessionInformationExpiredStrategy sessionInformationExpiredStrategy);
10
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain);
11
}
12

13
public interface InvalidSessionStrategy {
14
    void onInvalidSessionDetected(HttpServletRequest request, HttpServletResponse response) 
15
        throws IOException, ServletException;
16
}
17

18
public class SimpleRedirectInvalidSessionStrategy implements InvalidSessionStrategy {
19
    public SimpleRedirectInvalidSessionStrategy(String destinationUrl);
20
    public void setCreateNewSession(boolean createNewSession);
21
}
22

23
public class ConcurrentSessionFilter extends GenericFilterBean {
24
    public ConcurrentSessionFilter(SessionRegistry sessionRegistry, SessionInformationExpiredStrategy expiredSessionStrategy);
25
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain);
26
}
27
```
28

29
## Usage Examples
30

31
```java
32
// Basic session management
33
SessionManagementFilter sessionFilter = new SessionManagementFilter(repository);
34
sessionFilter.setInvalidSessionStrategy(
35
    new SimpleRedirectInvalidSessionStrategy("/login?expired")
36
);
37

38
// Concurrent session control
39
ConcurrentSessionFilter concurrentFilter = new ConcurrentSessionFilter(
40
    sessionRegistry,
41
    new SimpleRedirectSessionInformationExpiredStrategy("/login?concurrent")
42
);
43
```