I have an app configured to prevent concurrent sessions:
<sec:concurrency-control max-sessions="1" expired-url="/sessionExpired.do" session-registry-ref="sessionRegistry"/>
Also we are using remember me functionality:
<sec:remember-me key="someKey" services-ref="rememberMeServices" />
now with this config the logout filter is injected with both SecurityContextLogoutHandler and our TokenBasedRememberMeServices bean which implements LogoutHandler.This is the expected config and it correctly executes both handlers (where in this case, remember me cookie will be canceled by TokenBasedRememberMeServices) ..
However, if the user exceeds his max sessions and the ConcurrentSessionFilter logouts the user, it uses the default SecurityContextLogoutHandler which is declared inside:
private LogoutHandler handlers = new LogoutHandler
I think ConcurrentSessionFilter should be injected with the same logout handlers as LogoutFilter so the user will be properly logged out (i.e clearing remeber me cookie for example)...