This session has been expired in Experience Manager

Some of our authors are experiencing a weird issue when they are using the Experience Manager in our setup (single instance cms and multiple instances site). They see sometimes “This session has been expired (possibly due to multiple concurrent logins being attempted as the same user).” when working on pages.

They need to log in again when this happens. And it is not just one person that experiences this. It looks like a message from Spring, but I hope someone can give me guidance where to find the cause.
Thanks in advance!

EDIT: To clarify we use 15.2.3 of Brxm

Are you using an SSO integration?

No, users are managed in the CMS. I would add that we installed Bloomreach Forge Reset Password also.

Do your users open multiple tabs to the cms possibly?

I have raised that question with the users.

In the meantime we are somewhat able to reproduce it by doing just that (fairly difficult I might add). And find it may have something to do with the site login (on the cms-instance where the preview is served). We have this configured in spring-security for the site:
<security:concurrency-control max-sessions="1"/> .

The session registry uses the principals as keys in a map and it can therefore happen that there are multiple user objects with different hash codes for the same user. Sometimes they do match and then Spring sets the oldest existing session to expired, resulting in this message.
So it seems we do have multiple concurrent logins sometimes. I am still not sure why this occurs.

I’m not qualified to give any deeper insight on this. It’s some interaction of your site login and the experience manager, but I can’t say more than that, which you already knew.