You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@struts.apache.org by "Aravapalli, Udaya" <Ud...@McKesson.com> on 2002/10/04 17:45:47 UTC

[OT] [session] Shared userId

Hi 

        I want to check if an user tries to login with an userId for
which a session is already existing and show a message.

        This can also be applied if two users want to share the same
userId and try to login at the same time. 
        Whenever a session is being created by the user , I want to
store       the userId in the database using the valueBound method in
HttpSessionBindingListener and remove it from the Database when the
session is invalidated using the valueUnbound method. But   this will
not work if the user does not explicitly invalidate the session (like
closing the browser).Then the session will remain active until  the
session time out has reached. Is there any way to determine an browser
closing action by the user and invalidate the session..

thanks 
Uday

Re: [OT] [session] Shared userId

Posted by Eddie Bush <ek...@swbell.net>.

No - there's not a reliable way to do it.  You could lower your session 
timeout - or simply inform your users of the consequences of not logging 
out.  Of course, there are going to be some folks who will have Windows 
crash on them (!) and they might get a bit perterbed that - through no 
fault of their own - they have to wait for their session to expire 
before they can log back in.

You might ... give yourself a way to get ahold of the existing session 
and close that session.  Of course ... that could perterb some folks too 
:-)  I suppose you could examine it before you close it and see how long 
it has been idle.  You could then implement some policy of "A session 
must be idle XX minutes before we can manually 'trash' it".  So you'd 
wind up examining the session on basis of how long it has sat idle - and 
only drop folks that are idle for a given period of time (ex.  session 
timeout is normally 30 minutes, but you implement an "agressive" timeout 
of 15 minutes [ or shorter, according to your view/needs ]).

Aravapalli, Udaya wrote:

>Hi 
>
>        I want to check if an user tries to login with an userId for
>which a session is already existing and show a message.
>
>        This can also be applied if two users want to share the same
>userId and try to login at the same time. 
>        Whenever a session is being created by the user , I want to
>store       the userId in the database using the valueBound method in
>HttpSessionBindingListener and remove it from the Database when the
>session is invalidated using the valueUnbound method. But   this will
>not work if the user does not explicitly invalidate the session (like
>closing the browser).Then the session will remain active until  the
>session time out has reached. Is there any way to determine an browser
>closing action by the user and invalidate the session..
>
>thanks 
>Uday 
>
-- 
Eddie Bush

--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

Re: [OT] [session] Shared userId

Posted by James Mitchell <jm...@telocity.com>.

I know what you want to do.  In the web environment, it is impossible.

For every solution you can think of, I can come up with at least 2 "what 
if" scenarios that will invalidate your logic.
I've been through this with at least 5 different Product Managers and 
there is just no way to handle it.

Sorry if this is only discouraging news, but it is reality.

Good Luck

James

Aravapalli, Udaya wrote:

>Hi 
>
>        I want to check if an user tries to login with an userId for
>which a session is already existing and show a message.
>
>        This can also be applied if two users want to share the same
>userId and try to login at the same time. 
>        Whenever a session is being created by the user , I want to
>store       the userId in the database using the valueBound method in
>HttpSessionBindingListener and remove it from the Database when the
>session is invalidated using the valueUnbound method. But   this will
>not work if the user does not explicitly invalidate the session (like
>closing the browser).Then the session will remain active until  the
>session time out has reached. Is there any way to determine an browser
>closing action by the user and invalidate the session..
>
>thanks 
>Uday 
>
>
>



--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>