You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@shiro.apache.org by gurjant singh <gu...@gmail.com> on 2013/09/27 12:09:59 UTC
Re: Control/Prevent concurrent user logins from different browsers/devices
Hi,
I have to allow a user to login only form on device at time and has to
> expire or invalidate the other sessions of that user if he has logged in
> from other devices/browsers. How can we do this in apache shiro. Please
> help me.
>
> Thanks,
>
> -Bunty
>
>
>
Re: Control/Prevent concurrent user logins from different
browsers/devices
Posted by versatec <ro...@versatec.de>.
Would it not suffice to check whether subject.isAuthenticated() and then
either do subject.logout() before accepting the new login attempt or deny
the new login attempt? Am I missing something here?
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Re-Control-Prevent-concurrent-user-logins-from-different-browsers-devices-tp7579195p7579381.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: Control/Prevent concurrent user logins from different
browsers/devices
Posted by Bunty <gu...@gmail.com>.
Les,
Thank you for the reply.
I was supposing this as the last solution, I was expecting, the shiro
controls the maximum logins of a user as these are handled in the Spring
Security.
Thanks,
-Bunty
On Sun, Sep 29, 2013 at 12:31 AM, Les Hazlewood-2 [via Shiro User] <
ml-node+s582556n7579199h14@n2.nabble.com> wrote:
> This is not built in to Shiro at the moment. Your best bet is to use
> Shiro's native session management and use a queryable session data store.
> Then, when a user request comes in, you can query the session data store
> and see if they have any existing sessions. If so, deny the request.
>
> HTH,
>
> --
> Les Hazlewood | @lhazlewood
> CTO, Stormpath | http://stormpath.com | @goStormpath | 888.391.5282
>
>
> On Fri, Sep 27, 2013 at 3:09 AM, gurjant singh <[hidden email]<http://user/SendEmail.jtp?type=node&node=7579199&i=0>
> > wrote:
>
>>
>> Hi,
>>
>>
>> I have to allow a user to login only form on device at time and has to
>>> expire or invalidate the other sessions of that user if he has logged in
>>> from other devices/browsers. How can we do this in apache shiro. Please
>>> help me.
>>>
>>> Thanks,
>>>
>>> -Bunty
>>>
>>>
>>>
>>
>>
>
>
> ------------------------------
> If you reply to this email, your message will be added to the discussion
> below:
>
> http://shiro-user.582556.n2.nabble.com/Re-Control-Prevent-concurrent-user-logins-from-different-browsers-devices-tp7579195p7579199.html
> To unsubscribe from Re: Control/Prevent concurrent user logins from
> different browsers/devices, click here<http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=7579195&code=Z3VyamFudHNpbmdoNzNAZ21haWwuY29tfDc1NzkxOTV8MTcyNzE5NzExMQ==>
> .
> NAML<http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
>
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Re-Control-Prevent-concurrent-user-logins-from-different-browsers-devices-tp7579195p7579206.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: Control/Prevent concurrent user logins from different
browsers/devices
Posted by Jordan Green <jg...@slacker.com>.
I was able to do this in a custom Authentication filter, where I have a
static map of userName->SessionId.
Then, in the onAccessDenied method after the user logs in, I look for a
prior sessionId for that username, and if I find one, I get the sessionDao
and delete the session.
Since I'm doing the last login wins, I don't want to deny the request. But
if you wanted to do that, you could return false from the onAccessDenied
method, probably with some kind of status on your response.
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Re-Control-Prevent-concurrent-user-logins-from-different-browsers-devices-tp7579195p7579367.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: Control/Prevent concurrent user logins from different browsers/devices
Posted by Albert Kam <mo...@gmail.com>.
I assume that in order to detect the existing session,
i'll have to do a check based on the principal (or in my simple case, the
username) upon a new login.
If the old session is there, then it's deleted, and the new login can
continue. So, last login wins.
I tried doing the check in AbstractSessionDAO.doCreate,
but at that time the passed SimpleSession doesnt contain any info about the
principal yet.
Next i tried AbstractSessionDAO.update, where the principal info is set
under the attribute key
of "org.apache.shiro.subject.support.DefaultSubjectContext_PRINCIPALS_SESSION_KEY".
After fetching the principal, i can continue checking the existing session
using the same principal and delete it.
But i'm wondering whether this the place to do the checking ?
If so, how do i differentiate between the session creation's update() and
other kinds of updates to avoid having to check for every updates.
> Then, when a user request comes in, you can query the session data store
and see if they have any existing sessions.
May i ask where is the good place to do this checking ?
> If so, deny the request.
How to deny the request ?
On Sun, Sep 29, 2013 at 2:01 AM, Les Hazlewood <lh...@apache.org>wrote:
> This is not built in to Shiro at the moment. Your best bet is to use
> Shiro's native session management and use a queryable session data store.
> Then, when a user request comes in, you can query the session data store
> and see if they have any existing sessions. If so, deny the request.
>
> HTH,
>
> --
> Les Hazlewood | @lhazlewood
> CTO, Stormpath | http://stormpath.com | @goStormpath | 888.391.5282
>
>
> On Fri, Sep 27, 2013 at 3:09 AM, gurjant singh <gu...@gmail.com>wrote:
>
>>
>> Hi,
>>
>>
>> I have to allow a user to login only form on device at time and has to
>>> expire or invalidate the other sessions of that user if he has logged in
>>> from other devices/browsers. How can we do this in apache shiro. Please
>>> help me.
>>>
>>> Thanks,
>>>
>>> -Bunty
>>>
>>>
>>>
>>
>>
>
--
Do not pursue the past. Do not lose yourself in the future.
The past no longer is. The future has not yet come.
Looking deeply at life as it is in the very here and now,
the practitioner dwells in stability and freedom.
(Thich Nhat Hanh)
Re: Control/Prevent concurrent user logins from different browsers/devices
Posted by Les Hazlewood <lh...@apache.org>.
This is not built in to Shiro at the moment. Your best bet is to use
Shiro's native session management and use a queryable session data store.
Then, when a user request comes in, you can query the session data store
and see if they have any existing sessions. If so, deny the request.
HTH,
--
Les Hazlewood | @lhazlewood
CTO, Stormpath | http://stormpath.com | @goStormpath | 888.391.5282
On Fri, Sep 27, 2013 at 3:09 AM, gurjant singh <gu...@gmail.com>wrote:
>
> Hi,
>
>
> I have to allow a user to login only form on device at time and has to
>> expire or invalidate the other sessions of that user if he has logged in
>> from other devices/browsers. How can we do this in apache shiro. Please
>> help me.
>>
>> Thanks,
>>
>> -Bunty
>>
>>
>>
>
>