You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Dale Nesbitt <dn...@train2invest.com> on 2007/09/19 23:10:33 UTC
Session uniqueness
Is there a way to enforce that a given username can only have one valid
session at a time?
--
Dale Nesbitt
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Session uniqueness
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Dale,
Dale Nesbitt wrote:
> An archives search yielded me nothing. I must be phrasing my query in
> an incorrect, non-jargon manner.
Perhaps. I know it's been discussed, but I honestly can't suggest any
good search strings. ;)
> I suppose the _easiest_ way would be to use a persistent database to
> keep track of the users logged in, and use an HttpSessionListener to log
> users out when their session either get invalidated (normal logout), or
> expire (timed logout).
Don't forget that your database might end up collecting data over time
for sessions never properly cleaned-up. For instance, if one of your
servers dies, all those sessions will never be purged from the database.
It's inconvenient when you lock out a lot of users because one of your
servers went down.
Also, if you aren't using cookies (or even if you are, but still use
direct-login capabilities) then it's possible users will close a browser
window and then attempt to re-login (even they do not have to), thus
severing their relationship with their existing session. In this case,
your users will have to wait for the session to time out on the server
side before they can login again.
Any particular reason to limit to one-session-per-user? I'm always
curious about these kinds of requirements...
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFG8//p9CaO5/Lv0PARAnOcAKCdGCSbfbumx2b5C2MoiQvyDgdGSQCfeDhk
Q8iR8WI+14Mx8n0Cg2Xuvt4=
=oj60
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Session uniqueness
Posted by Dale Nesbitt <dn...@train2invest.com>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
An archives search yielded me nothing. I must be phrasing my query in
an incorrect, non-jargon manner.
I suppose the _easiest_ way would be to use a persistent database to
keep track of the users logged in, and use an HttpSessionListener to log
users out when their session either get invalidated (normal logout), or
expire (timed logout). If you can think of a smarter way, I'm all
ears/eyes.
Thanks,
Dale.
Christopher Schultz wrote:
> Dale Nesbitt wrote:
>> Is there a way to enforce that a given username can only have one valid
>> session at a time?
>
> Yes, but I'd imagine the question you're really asking is "is there an
> /easy/ way to enforce..." or, perhaps "a standard way". The answer to
> both of these is "no".
>
> You basically have to roll your own login-restriction mechanism. This
> question has been asked several times on the list. Try looking around
> the archives for the past discussions... we usually tell people that
> it's possible but a real PITA to do.
- ---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
- --
Dale Nesbitt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFG8nANC1ww7auTZ7URAmWNAKCej9D9UohnJgXYdOiQFujyjdbYiQCfQCIW
Nm3drK9lbAWby1IzKKpah00=
=zjwS
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Session uniqueness
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Dale,
Dale Nesbitt wrote:
> Is there a way to enforce that a given username can only have one valid
> session at a time?
Yes, but I'd imagine the question you're really asking is "is there an
/easy/ way to enforce..." or, perhaps "a standard way". The answer to
both of these is "no".
You basically have to roll your own login-restriction mechanism. This
question has been asked several times on the list. Try looking around
the archives for the past discussions... we usually tell people that
it's possible but a real PITA to do.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFG8c3b9CaO5/Lv0PARAk1bAJ9op5VN0JXry9RqxRGCbwcX3vAFMgCdHNzo
1ReqqD7hqFXk/xIHP2hvxyU=
=IqOL
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org