Relates to: https://jira.magnolia-cms.com/browse/ADMINCTR-511

When changing the password from one browser while another active session was in progress on a different browser, the new password was successfully updated, and the old session remained active.

Approach

• This ticket will provide a HttpSessionListener in order to track the sessions from an authenticated MgnlUser
• Then, later on we can invalidate all sessions in some cases, e.g changing the password

Documentation notes:

• The new implementation of HttpSessionListener is called: DefaultHttpSessionListener
• It's required to register the listener in web.xml file as below (under the existing "MagnoliaServletContextListener", see this as reference: https://git.magnolia-cms.com/projects/PLATFORM/repos/ce/browse/magnolia-empty-webapp/src/main/webapp/WEB-INF/web.xml?at=refs%2Fheads%2Frelease%2F6.2#25

<listener>
  <listener-class>info.magnolia.cms.security.DefaultHttpSessionListener</listener-class>
</listener>

• As discussed with mgeljic , we agreed that the listener will be setup/enabled by default, but not for existing installs

• So, we should document it how to register/enable the listener in order to have the feature work https://jira.magnolia-cms.com/browse/ADMINCTR-511 (invalidate/logout all sessions when user changed the password), and the customers need to enable by themself if they want