Concurrent session control with `maximum-sessions-per-user=1` logs out both the existing and the new session

[glebfox]

Environment

Jmix version: 3.0
Source: forum

Bug Description

With jmix.core.session.maximum-sessions-per-user=1, logging in as a user who already has an active session logs out both sessions instead of keeping the new one. The new session authenticates and starts opening the main view, then is immediately redirected back to the login view, and the previously active session is expired as well. The user ends up with no active session in either browser.

The same off-by-one affects values greater than 1 in a less visible way: opening session N+1 expires one more session than necessary (the newly created session survives in that case, so it usually goes unnoticed with the default value).

Steps to reproduce

1. Set jmix.core.session.maximum-sessions-per-user=1.
2. Log in as a user in browser A — the main view opens.
3. Log in as the same user in browser B.

Actual behavior

Browser B authenticates and begins opening the main view, then is immediately redirected to the login view. Browser A is also logged out. Neither browser has an active session.

Expected behavior

Logging in from browser B expires only the previous session (browser A) and keeps the new session (browser B) active — the most recent login wins and exactly one session remains.