As far as security is concerned, session management relates to securing and managing multiple users' sessions against their request. It facilitates secure interactions between a user and a service/application and pertains to a sequence of requests and responses associated with a particular user. Session Management is one of the most critical aspects of Spring security as if sessions are not managed properly, the security of data will suffer. To control HTTP sessions, Spring security uses the following options:
SessionManagementFilter.
SessionAuthneticationStrategy
With these two, spring-security can manage the following security session options:
Session timeouts (amount of time a user can remain inactive on a website before the site ends the session.)
Concurrent sessions (the number of sessions that an authenticated user can have open at once).
Session-fixation (an attack that permits an attacker to hijack a valid user session)