How to limit only one session per user and block the subsequent login attempt?

Question

The default behavior of concurrency control is to expire the original session. However, I would like to block the second user which is logging in with the same credentials with

Answer 1

The solution is in the documentation:

Often you would prefer to prevent a second login, in which case you can use

<http>
  ...
  <session-management>
      <concurrency-control max-sessions="1" error-if-maximum-exceeded="true" />
  </session-management>
</http>

The second login will then be rejected. By “rejected”, we mean that the user will be sent to the authentication-failure-url if form-based login is being used. If the second authentication takes place through another non-interactive mechanism, such as “remember-me”, an “unauthorized” (402) error will be sent to the client. If instead you want to use an error page, you can add the attribute session-authentication-error-url to the session-management element.

So basically set error-if-maximum-exceeded to "true" and remove expired-url attribute from <concurrency-control>.