You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Venkat <ve...@yahoo.com> on 2001/02/01 10:19:44 UTC
Disallowing Concurrent sessions
Hi All
This has reference to an previous discussion on 'disallowing concurrent
login' and Mr.Hans Bergsten came out with a suggestion of implementing
HttpSessionBindingListener interface, add every new user to a vector, check
the existence when a new user logs in ...
I have implemented a solution similar to that, create a table to store
details such as sessionId, User Ip, User's unique login id, session created
time etc., check the table for login id, if not found, create a new session,
add the loginid to that table and deny new session if the login id is found
in the table. so, if the same user or anybody with the same loginid tries
to sign again is redirected to another page which shows the details such the
session details from the table
This method works as long the user signs out using another jsp page which
removes all cookies and invalidates the session, but the probelm is that if
the user closes the browser window without signing out, those details are
never removed from the table and he will not be able to login at all unless
someone removes his details from the table
Here, I am looking for a mechanism
1. which allows the tomcat container to remove all expired sessions from
using sessions Ids,
2. Inform the first logged in user, log him out, invalidate that session
and create new session for the newly signed in user
3. A method which can invalidate a session by its session Id (such as
session.invalidate(sessionId), becuse HttpSession.invalidate() method
does not take any arguement and invalidate current session)
I am contemplating this to work similar to Yahoo Messanger (invalidates old
session and creates new)
I seek your valuable suggestions
Thanks in advance
Venkat
_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com
Re: Disallowing Concurrent sessions
Posted by Venkat <ve...@yahoo.com>.
----- Original Message -----
From: "David Wall" <dw...@myEastside.com>
To: <to...@jakarta.apache.org>
Sent: Friday, February 02, 2001 2:01 AM
Subject: Re: Disallowing Concurrent sessions
> > This method works as long the user signs out using another jsp page
which
> > removes all cookies and invalidates the session, but the probelm is that
> if
> > the user closes the browser window without signing out, those details
are
> > never removed from the table and he will not be able to login at all
> unless
> > someone removes his details from the table
>
> That's kind of a big problem <smile>. Your revised solution is on the
right
> track. Logout the original account and let the new one in. This also has
> the consequence of making a person miserable if he shares his login info
> since his friends will force him off if they come in while he's actually
> using the service, and of course it correctly handles the case where the
> user is simply coming back in without having logged out.
>
> > 2. Inform the first logged in user, log him out, invalidate that
session
> > and create new session for the newly signed in user
>
> Well, HTTP won't let you inform the user unless that user does at least
one
> more request to your site since the server knows nothing about the client.
True, but this can be done .. like add a small or a spacer image which
refreshes every minute and makes a request .. or a javascript function which
makes a request onMouseOver event - catch this event when mouse reaches a
prominent/frequently used location on the browser windows.... so on
>
> > 3. A method which can invalidate a session by its session Id (such as
> > session.invalidate(sessionId), becuse HttpSession.invalidate() method
> > does not take any arguement and invalidate current session)
>
> That would be cool. Right now, I'm unfamiliar with such APIs, and it
seems
> a waste to check every request against your session db to see if the
session
> is still allowed to active. But if you did, you could update your db with
a
> flag indicating that the users has been logged out, return that error page
> (clearly they didn't really log out since they were able to make another
> request on the session) and invalidate the session then.
In fact, some tools like yahoo chat, mail and messenger services and MSN
messenger have these features .. i'm not sure the logic behind this
>
> I'd be interested in knowing if there's any support (standard or
otherwise)
> to let someone invalidate another session. That would seem like a
generally
> BAD thing, but I know that Tomcat supports so-called trusted services, and
> maybe they can do this.
>
Hope, some tomcat-developers contribute to this post
> David
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, email: tomcat-user-help@jakarta.apache.org
_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com
Re: Disallowing Concurrent sessions
Posted by David Wall <dw...@myEastside.com>.
> This method works as long the user signs out using another jsp page which
> removes all cookies and invalidates the session, but the probelm is that
if
> the user closes the browser window without signing out, those details are
> never removed from the table and he will not be able to login at all
unless
> someone removes his details from the table
That's kind of a big problem <smile>. Your revised solution is on the right
track. Logout the original account and let the new one in. This also has
the consequence of making a person miserable if he shares his login info
since his friends will force him off if they come in while he's actually
using the service, and of course it correctly handles the case where the
user is simply coming back in without having logged out.
> 2. Inform the first logged in user, log him out, invalidate that session
> and create new session for the newly signed in user
Well, HTTP won't let you inform the user unless that user does at least one
more request to your site since the server knows nothing about the client.
> 3. A method which can invalidate a session by its session Id (such as
> session.invalidate(sessionId), becuse HttpSession.invalidate() method
> does not take any arguement and invalidate current session)
That would be cool. Right now, I'm unfamiliar with such APIs, and it seems
a waste to check every request against your session db to see if the session
is still allowed to active. But if you did, you could update your db with a
flag indicating that the users has been logged out, return that error page
(clearly they didn't really log out since they were able to make another
request on the session) and invalidate the session then.
I'd be interested in knowing if there's any support (standard or otherwise)
to let someone invalidate another session. That would seem like a generally
BAD thing, but I know that Tomcat supports so-called trusted services, and
maybe they can do this.
David