Strategy to prohibit concurrent users authenticated through Tomcat

[be...@thomsonreuters.com]

I am using Tomcat 7.0.11 and use Form Authentication (via j_security_check) to authenticate through the Tomcat server.
Currently, two users with the same username can log into my application from two different computers and concurrently access the app.
Is there a way to prohibit a user from authenticating if a user with the same username has previously authenticated and still has an active session?

Thanks
Beau

Re: Strategy to prohibit concurrent users authenticated through Tomcat

[chris derham <ch...@derham.me.uk>]

>
> I am using Tomcat 7.0.11 and use Form Authentication (via
>> j_security_check) to authenticate through the Tomcat server.
>> Currently, two users with the same username can log into my application
>> from two different computers and concurrently access the app.
>> Is there a way to prohibit a user from authenticating if a user with the
>> same username has previously authenticated and still has an active session?
>>
>> We use spring security in a web app that is deployed in tomcat. It has
built in support for this - you can configure to either disallow subsequent
sessions, or kill the first session and allow subsequent sessions. This
should explain it better than I can
http://static.springsource.org/spring-security/site/docs/3.0.x/reference/session-mgmt.html.
Don't know how big a task it would be for you to move to this, but it works
really well for us

If you provide a bit more information about what you are trying/need to do,
> someone my come up with a better idea.
> For example, what is the real problem - in your application - when two
> people at different computers login with the same user-id ?
>
> +1

Chris

Re: Strategy to prohibit concurrent users authenticated through Tomcat

[André Warnier <aw...@ice-sa.com>]

beau.hutcheson@thomsonreuters.com wrote:
> I am using Tomcat 7.0.11 and use Form Authentication (via j_security_check) to authenticate through the Tomcat server.
> Currently, two users with the same username can log into my application from two different computers and concurrently access the app.
> Is there a way to prohibit a user from authenticating if a user with the same username has previously authenticated and still has an active session?
> 
There is always a way, but not necessarily an easy way.
I do not know of any standard authentication scheme which would prevent that.

Maybe you should first reconsider your basic scheme : in my experience, it is always a bad 
idea in the end, in terms of security and in terms of audit (and in many cases in terms of 
application logic), to use "group" id's (iow allowing more than one physical person to 
login under a common user-id).  The main point is : when something happens, you never know 
who did it (be that for support, debugging, statistics or security reasons).
It also interferes with things like "personal settings" etc..

I know of /applications/ which control that.  For example, one database system which I use 
allows to set for each user-id a "maximum simultaneous login count" which limits the 
user's concurrent sessions to 1..n (settable by the administrator).

Another way would be to use a servlet filter to keep a count or a flag.  But it's tricky, 
because you need to store that somewhere, and you need to make sure that whatever happens 
(e.g. an application or user error) this count always gets reset when a user's session is 
terminated (even unexpectedly).

If you provide a bit more information about what you are trying/need to do, someone my 
come up with a better idea.
For example, what is the real problem - in your application - when two people at different 
computers login with the same user-id ?

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org