This is the correct behavior.

The first person who posts a good explanation of this behavior will receive 10pt extra credit.

ashoush wrote:

I beleive this happens because different instances of the same browser share the same session. (IE used to use different sessions in previous version but I noticed this is no longer the case in IE 8.) So by opening a new browser of same type and logging in with a different username, a new session is created and the previous session expires automatically. But by using two different browsers you can have two different sessions and consequently two users can be connected to the system simultainously from the same computer.

Yes, but explain a little bit more how "the previous session expires automatically".

ashoush wrote:

I beleive when a user logs in to the system, the Spring Security invalidates the current session and initiate a new session for the new user. This make any session on other browsers of the same type to be changed to the new session. As the logged-in user information is kept in the session variables, the user for all the previous open browsers are now considered the recently logged in user.

Not quite.

niteenborge wrote:

The HttpSessionContextIntegrationFilter is responsible for storing a SecurityContext between HTTP requests. The HttpSession is used to store this information. 

As Http session is stateless it get killed when we close the browser, also it is different for different browser..

No.

niteenborge wrote:

I checked in response "JSESSIONID" is same for any instance of browser (Including ctrl + N). When we close browser completly, it generates new SessionId. It is true for different browser. I think Server sets session ID after login and checks authentication for every request. It checks for same SessionID. If it is different, then it tell user to login again.

In our case the browser is not closed. Suppose you login as a user, then open another browser window or tab and login as a different user, you will be automatically logged out of the first account, i.e. the first session will be automatically terminated. How is the first session terminated?

The key is to understand how "session" works. As we discussed in CS320 and in the review lecture of this class, when a client first sends a request to the server, the server generates a unique token (a random number or string) which is usually called a sesion id, and sends it back to the client. All subsequent requests from the client should include this token so that the server can recognize the client. In most cases, sessions are implemented using cookies. In particular, the session id is sent back and forth between the client and the server as the value of the cookie header in the HTTP requests and responses.

Because an HTTP session relies on both the client and the server "remembering" the same session id, a session can be terminated by either side. For example, a server can terminate a session by expiring a session id, and a client can terminate a session by deleting the cookie that contains the session id.

Now back to the case we are discussing. When a user first logs into a website, the client browser receives a session id that is stored in a cookie. If the user logs in a different account, the server sends back a new sssion id in another cookie. Because the new cookie comes from the same host, for the same path, and has the same name as the old cookie, it replaces the old cookie, or in other words, the new session id overwrites the old session id, so the old session is gone. Note that in this case, the session is terminated on the client side, not by Spring Security on the server.