Advise Overriding equals() and hashCode() in UserDetails Implementations

Gurunathan16 · jzheaux · commit a4cd6f4278d0 · 2025-05-21T12:41:44.000-06:00
This commit adds a documentation note explaining the importance of
overriding equals() and hashCode() in custom UserDetails implementations.

The default SessionRegistryImpl in Spring Security uses an in-memory
ConcurrentMap&lt;Object, Set&lt;String&gt;&gt;, Map&lt;String,SessionInformation&gt; to
associate principals with sessions. If a custom UserDetails class does
not properly override equals() and hashCode(), user sessions may not
be tracked or matched correctly.

I believe this helps developers avoid subtle session management issues
when implementing custom authentication logic.

Signed-off-by: Gurunathan &lt;129361658+Gurunathan16@users.noreply.github.com&gt;
diff --git a/docs/modules/ROOT/pages/servlet/authentication/session-management.adoc b/docs/modules/ROOT/pages/servlet/authentication/session-management.adoc
@@ -534,6 +534,13 @@ public class MaximumSessionsPreventLoginTests {
 If you are using a customized authentication filter for form-based login, then you have to configure concurrent session control support explicitly.
 You can try it using the {gh-samples-url}/servlet/spring-boot/java/session-management/maximum-sessions-prevent-login[Maximum Sessions Prevent Login sample].
 
+[NOTE]
+=====
+If you are using a custom implementation of `UserDetails`, ensure you override the **equals()** and **hashCode()** methods.
+The default `SessionRegistry` implementation in Spring Security relies on an in-memory Map that uses these methods to correctly identify and manage user sessions.
+Failing to override them may lead to issues where session tracking and user comparison behave unexpectedly.
+=====
+
 == Detecting Timeouts
 
 Sessions expire on their own, and there is nothing that needs to be done to ensure that a security context gets removed.
