Java, Spring Security : Disable 2 logins from single browser when authenticated from backend -

i working on spring-mvc application in using spring-security authentication , authorization. in 1 of features, sending invitation users join application. when user clicks on email link, login user backend.

if there user logged in, session old user not removed. have set in xml create newsession, not helping either. result have 2 users logged in same browser. ideas, thank you.

security-application-context.xml code :

 <security:http pattern="/resources/**" security="none"/>     <security:http create-session="ifrequired" use-expressions="true" auto-config="false" disable-url-rewriting="true">         <security:form-login login-page="/login" username-parameter="j_username" password-parameter="j_password"                              login-processing-url="/j_spring_security_check" default-target-url="/canvaslisting"                              always-use-default-target="false" authentication-failure-url="/login?error=auth"/>         <security:remember-me key="_spring_security_remember_me" user-service-ref="userdetailsservice"                               token-validity-seconds="1209600" data-source-ref="datasource"/>         <security:logout delete-cookies="jsessionid" invalidate-session="true" logout-url="/j_spring_security_logout"/>         <security:intercept-url pattern="/**" requires-channel="https"/>         <security:port-mappings>             <security:port-mapping http="80" https="443"/>         </security:port-mappings>         <security:logout logout-url="/logout" logout-success-url="/" success-handler-ref="mylogouthandler"/>         <security:session-management session-fixation-protection="migratesession">             <security:concurrency-control session-registry-ref="sessionreg" max-sessions="5" expired-url="/login"/>         </security:session-management>     </security:http>      <beans:bean id="sessionreg" class="org.springframework.security.core.session.sessionregistryimpl"/> 

controller code :

@requestmapping(value = "/activatemembership/{token}")     public string activatemembershipforexistinguser(){ boolean val = this.groupmembersservice.activatemembers(token,true);  } 

service layer code :

// logout true when clicked email.     @override     public boolean activatemembers(string token, boolean logout) {         try {             string[] parts = token.split(token_separator);             string username = parts[0].tolowercase();             long groupaccountid = long.valueof(parts[2]);             groupaccount groupaccount = this.groupaccountservice.getgroupobjectonlybyid(groupaccountid);             person person = this.personservice.findpersonbyusername(username);             if(logout) {                 person loggedinuser = this.personservice.getcurrentlyauthenticateduser();                 if (!(loggedinuser == null)) {                     loggedinuser.setonlinestatus(null);                     this.personservice.directpersonupdate(loggedinuser);                     securitycontextholder.getcontext().setauthentication(null);                  }             } //other service layer code   if(logout) {                     collection<grantedauthority> authorities = new arraylist<>();                     authorities.add(new simplegrantedauthority("role_user"));                     authentication authentication = new usernamepasswordauthenticationtoken(person, null, authorities);                     securitycontextholder.getcontext().setauthentication(authentication);                 } } 

any ideas? thank you.