Only one session for logged user.

[Martin Bednář <ma...@triax.cz>]

Hello,

In our application I must guarantee that user is logged only once to the
application.
I have the following problem.

1,User logged to aplication, create session1
2,User browser crased, but session1 is still alive for next 30minutes
(session expiration time is 30minutes).
3,User open new browser and login to application (session2 is created).

And in point 3 I need close session1 before I log user in.

I hold userId in user session, but I don't know how to iterate over all
sessions and check if another session for same user is here.

Any advice ?

Thx Martin

Re: Only one session for logged user.

[Ernesto Reinaldo Barreiro <re...@gmail.com>]

Using a session listener to record session creation/destruction and them use
that info to invalidate previous sessions where the user is the same?

Ernesto

On Fri, Mar 6, 2009 at 11:34 AM, Martin Bednář <ma...@triax.cz>wrote:

> Hello,
>
> In our application I must guarantee that user is logged only once to the
> application.
> I have the following problem.
>
> 1,User logged to aplication, create session1
> 2,User browser crased, but session1 is still alive for next 30minutes
> (session expiration time is 30minutes).
> 3,User open new browser and login to application (session2 is created).
>
> And in point 3 I need close session1 before I log user in.
>
> I hold userId in user session, but I don't know how to iterate over all
> sessions and check if another session for same user is here.
>
> Any advice ?
>
> Thx Martin
>

Re: Only one session for logged user.

[Igor Vaynberg <ig...@gmail.com>]

instead of storing a user id store a uuid that is generated on login,
and resolve the uuid back to user.

every time the user logs in you invalidate all other uuids they have
and generate a new one.

-igor

On Fri, Mar 6, 2009 at 2:34 AM, Martin Bednář <ma...@triax.cz> wrote:
> Hello,
>
> In our application I must guarantee that user is logged only once to the
> application.
> I have the following problem.
>
> 1,User logged to aplication, create session1
> 2,User browser crased, but session1 is still alive for next 30minutes
> (session expiration time is 30minutes).
> 3,User open new browser and login to application (session2 is created).
>
> And in point 3 I need close session1 before I log user in.
>
> I hold userId in user session, but I don't know how to iterate over all
> sessions and check if another session for same user is here.
>
> Any advice ?
>
> Thx Martin
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org

Re: Only one session for logged user.

[Leszek Gawron <lg...@apache.org>]

Martin Bednář wrote:
> Hello,
> 
> In our application I must guarantee that user is logged only once to the
> application.
> I have the following problem.
> 
> 1,User logged to aplication, create session1
> 2,User browser crased, but session1 is still alive for next 30minutes
> (session expiration time is 30minutes).
> 3,User open new browser and login to application (session2 is created).
> 
> And in point 3 I need close session1 before I log user in.
> 
> I hold userId in user session, but I don't know how to iterate over all
> sessions and check if another session for same user is here.
> 
> Any advice ?

Have a look at how Acegi Security handles concurrent sessions management:

http://www.acegisecurity.org/guide/springsecurity.html#concurrent-sessions

hth

-- 
Leszek Gawron

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org