Hi everyone,
I’m running into some architectural issues with session management in a Vaadin 24 application deployed across multiple pods in Kubernetes.
My case - each user must have only one active session at a time, in the context of SSO. If a user logs in from a different browser or device, the previous session should be invalidated.
I tried to implement this using Spring Session with Redis, which normally works well for stateless Spring Boot apps - but the login page reloads in a loop - The login page itself never loads - it keeps redirecting to login?error=session_expired.
It seems that Vaadin tries to initialize a VaadinSession for the login view, but Spring Session (backed by Redis) immediately treats the HTTP session as invalid or expired.
As a result, the AnonymousAuthenticationFilter takes over, Vaadin detects a missing session, and redirects back to the login URL before the view can render.
This creates a continuous redirect loop even before authentication actually starts.
With basic authentication, everything works correctly - the issue appears only with SSO.
Has anyone successfully implemented centralized session management (e.g., backed by Redis or another store) with Vaadin 24 + Spring Security + SSO?
What would be the recommended approach in 2025 to enforce “only one active session per user” across multiple Vaadin nodes?
Any examples, best practices, or guidance from the Vaadin team would be greatly appreciated.
Thanks in advance!