You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Michael Mehrle <mi...@datasaur.com> on 2005/06/14 18:22:29 UTC
Concurrent login detection - how?
What is the best way to detect two people being logged in concurrently using
the same account? This is one aspect of my efforts to restrict fraudulent
access. Again, I don't want to use Acegi since it seems to break the rest of
my app. So, what's the best way to do this 'traditionally'?
Thanks!
Michael
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: Concurrent login detection - how?
Posted by Tim Diggins <su...@red56.co.uk>.
And I presume you'd need to get/persist this java object to a database,
if you fancied scaling beyond a single application server? (Or am I
missing something?)
Andre Van Klaveren wrote:
> This will prevent users from having more than one session at a time
> for sure. You would probably want to remove the id from the list when
> a duplicate is detected to prevent users from having to wait for their
> initial session to timeout in the event that they closed their browser
> without properly logging out. You would also need to keep the session
> id in this list so that you can invalidate the session that is related
> to the id.
>
> This of course would drop the original session and in the event that
> two people were using the same ID it would become a nuisence for the
> first user to login (they would loose their session).
>
> You would want to make sure to log this event for auditing purpose as well.
>
> Did I miss anything?
>
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: Concurrent login detection - how?
Posted by Andre Van Klaveren <ny...@gmail.com>.
This will prevent users from having more than one session at a time
for sure. You would probably want to remove the id from the list when
a duplicate is detected to prevent users from having to wait for their
initial session to timeout in the event that they closed their browser
without properly logging out. You would also need to keep the session
id in this list so that you can invalidate the session that is related
to the id.
This of course would drop the original session and in the event that
two people were using the same ID it would become a nuisence for the
first user to login (they would loose their session).
You would want to make sure to log this event for auditing purpose as well.
Did I miss anything?
--
Virtually,
Andre Van Klaveren
Architect III, SCP
Enterprise Transformation Services
Unisys Corporation
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: Concurrent login detection - how?
Posted by Woodchuck <wo...@yahoo.com>.
yes, this boils down to a business policy issue. in my web app the
policy is 'one user at any one time'. we track user logins at the
database level. we immediately invalidate the existing user session if
the same user has just logged in (again).
the existing user gets a "your session has expired" message upon their
next action in the web app. basically, the latest login wins.
this is the behavior/policy our client is happy with.
woodchuck
--- Andre Van Klaveren <ny...@gmail.com> wrote:
> I mentioned this issue (killing browser problem) in a previous
> posting. The only way to prevent this is to invalidate the original
> session also in the event that a duplicate login was detected. I can
> see a possible DOS attack problem with this solution though. Maybe
> you shouldn't invalidate the original session and make the user call
> helpdesk to invalidate the original session. This would aid in the
> tracking of this event also.
>
> Using IP addresses is usually not a good way to detect duplicate
> logins. I guess this would work in a controlled environment
> (intranet) where you can guarantee that the user(s) aren't behind a
> proxy server. It's definetly not an option for a public site.
>
>
>
> On 6/15/05, Nikola Milutinovic <Ni...@ev.co.yu> wrote:
> > David Rickard wrote:
> >
> > > Don't know if this is an optimum solution, but it should work:
> > > Keep a List or Vector of IDs for active users in a shared,
> > > application-level object (probably ServletContext);
> > > When someone logs in, search the List for the submitted ID: if
> not
> > > present, continue with login sequence; if present, kick them to
> the
> > > "duplicate login" page;
> > > Remove IDs from the List when users log out (and add a
> > > ServletContextListener to catch people who leave the site without
> > > logging out--remove their IDs when their sessions time out);
> >
> >
> > This is definitely a correct approach, but it has onw shortcoming.
> > Suppose one user opens up a session (logs in) and his/her browser
> dies.
> > The user opens another browser and tries to login, only to be
> kicked to
> > "duplicate user" page. I think in this case, the original poster
> should
> > have a vector or a hash map of user names and remote machine
> names/IPs.
> >
> > Nix.
> >
> >
> ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail:
> tomcat-user-help@jakarta.apache.org
> >
> >
>
>
> --
> Virtually,
> Andre Van Klaveren
> Architect III, SCP
> Enterprise Transformation Services
> Unisys Corporation
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>
__________________________________
Discover Yahoo!
Find restaurants, movies, travel and more fun for the weekend. Check it out!
http://discover.yahoo.com/weekend.html
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: Concurrent login detection - how?
Posted by Nikola Milutinovic <Ni...@ev.co.yu>.
Andre Van Klaveren wrote:
>I mentioned this issue (killing browser problem) in a previous
>posting. The only way to prevent this is to invalidate the original
>session also in the event that a duplicate login was detected. I can
>see a possible DOS attack problem with this solution though. Maybe
>you shouldn't invalidate the original session and make the user call
>helpdesk to invalidate the original session. This would aid in the
>tracking of this event also.
>
>
To DoS or not to DoS? I would let the session expire naturally, let the
SessionListener cleanup and logout the user and when a duplicate comes
in tell them what is the case. If they need access *now*, they can call
the help desk.
>Using IP addresses is usually not a good way to detect duplicate
>logins. I guess this would work in a controlled environment
>(intranet) where you can guarantee that the user(s) aren't behind a
>proxy server. It's definetly not an option for a public site.
>
>
True.
Nix.
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: Concurrent login detection - how?
Posted by Andre Van Klaveren <ny...@gmail.com>.
I mentioned this issue (killing browser problem) in a previous
posting. The only way to prevent this is to invalidate the original
session also in the event that a duplicate login was detected. I can
see a possible DOS attack problem with this solution though. Maybe
you shouldn't invalidate the original session and make the user call
helpdesk to invalidate the original session. This would aid in the
tracking of this event also.
Using IP addresses is usually not a good way to detect duplicate
logins. I guess this would work in a controlled environment
(intranet) where you can guarantee that the user(s) aren't behind a
proxy server. It's definetly not an option for a public site.
On 6/15/05, Nikola Milutinovic <Ni...@ev.co.yu> wrote:
> David Rickard wrote:
>
> > Don't know if this is an optimum solution, but it should work:
> > Keep a List or Vector of IDs for active users in a shared,
> > application-level object (probably ServletContext);
> > When someone logs in, search the List for the submitted ID: if not
> > present, continue with login sequence; if present, kick them to the
> > "duplicate login" page;
> > Remove IDs from the List when users log out (and add a
> > ServletContextListener to catch people who leave the site without
> > logging out--remove their IDs when their sessions time out);
>
>
> This is definitely a correct approach, but it has onw shortcoming.
> Suppose one user opens up a session (logs in) and his/her browser dies.
> The user opens another browser and tries to login, only to be kicked to
> "duplicate user" page. I think in this case, the original poster should
> have a vector or a hash map of user names and remote machine names/IPs.
>
> Nix.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>
--
Virtually,
Andre Van Klaveren
Architect III, SCP
Enterprise Transformation Services
Unisys Corporation
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: Concurrent login detection - how?
Posted by Nikola Milutinovic <Ni...@ev.co.yu>.
David Rickard wrote:
> Don't know if this is an optimum solution, but it should work:
> Keep a List or Vector of IDs for active users in a shared,
> application-level object (probably ServletContext);
> When someone logs in, search the List for the submitted ID: if not
> present, continue with login sequence; if present, kick them to the
> "duplicate login" page;
> Remove IDs from the List when users log out (and add a
> ServletContextListener to catch people who leave the site without
> logging out--remove their IDs when their sessions time out);
This is definitely a correct approach, but it has onw shortcoming.
Suppose one user opens up a session (logs in) and his/her browser dies.
The user opens another browser and tries to login, only to be kicked to
"duplicate user" page. I think in this case, the original poster should
have a vector or a hash map of user names and remote machine names/IPs.
Nix.
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: Concurrent login detection - how?
Posted by "Frank W. Zammetti" <fz...@omnytex.com>.
A SessionContextListener gets called when a session times out, or is
otherwise invalidated. This is how you do it. I did this in an app
some time ago... I just needed to maintain a list of who was logged in.
You can do something simple like I did: have a UsersList object with
a single static HashMap in it. In that HashMap goes User objects. When
the session is created, the listener is called, and you put the User
object in it. When the session is destroyed, you remove it. I keyed
the HashMap off user ID, you can do it however you like. Just be sure
to take concurrency into account and it works rather well. You could do
it to a database if your requirements make that a better choice.
Frank
Michael Mehrle wrote:
> That actually goes to the heart of my question: HOW do I detect when
> their session times out? ;-)
> I know the 'strategy' of doing this, but I don't know how to capture a
> timed-out session - technically. Any input would be welcome.
>
> TIA,
>
> Michael
>
> ----- Original Message ----- From: "David Rickard"
> <Da...@techbooks.com>
> To: "Tomcat Users List" <to...@jakarta.apache.org>
> Sent: Tuesday, June 14, 2005 9:53 AM
> Subject: Re: Concurrent login detection - how?
>
>
>
>> Remove IDs from the List when users log out (and add a
>> ServletContextListener to catch people who leave the site without logging
>> out--remove their IDs when their sessions time out);
>>
>> At 09:22 AM 6/14/2005, you wrote:
>>
>>> What is the best way to detect two people being logged in
>>> concurrently using
>>> the same account? This is one aspect of my efforts to restrict
>>> fraudulent
>>> access. Again, I don't want to use Acegi since it seems to break the
>>> rest of
>>> my app. So, what's the best way to do this 'traditionally'?
>>>
>>> Thanks!
>>>
>>> Michael
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>>> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>>>
>>
>>
>> --
>>
>> David Rickard
>> Software Engineer
>>
>> TechBooks/GTS
>> Your Single Source Solution!
>> Los Angeles CA * York, PA * Boston,MA * New Delhi, India
>> Visit us on the World Wide Web
>> <http://www.techbooks.com>http://www.techbooks.com
>>
>> david.rickard@techbooks.com
>> 5650 Jillson St., Los Angeles, CA 90040
>> (323) 888-8889 x331
>> (323) 888-1849 (Fax)
>>
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>
>
>
>
--
Frank W. Zammetti
Founder and Chief Software Architect
Omnytex Technologies
http://www.omnytex.com
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: Concurrent login detection - how?
Posted by David Rickard <Da...@techbooks.com>.
A HttpSessionListener implements a sessionDestroyed() method, which
receives a HttpSessionEvent object from the servlet container when "a
session is about to be invalidated" (the timing undoubtedly depends upon
the container); the HttpSessionEvent object has a getSession() method,
which returns the HttpSession object about to be invalidated, from which
you can get the session ID & other information to identify the affected user;
At 01:28 PM 6/14/2005, Michael Mehrle wrote:
>That actually goes to the heart of my question: HOW do I detect when their
>session times out? ;-)
>I know the 'strategy' of doing this, but I don't know how to capture a
>timed-out session - technically. Any input would be welcome.
>
>TIA,
>
>Michael
>
>----- Original Message ----- From: "David Rickard"
><Da...@techbooks.com>
>To: "Tomcat Users List" <to...@jakarta.apache.org>
>Sent: Tuesday, June 14, 2005 9:53 AM
>Subject: Re: Concurrent login detection - how?
>
>
>
>>Remove IDs from the List when users log out (and add a
>>ServletContextListener to catch people who leave the site without logging
>>out--remove their IDs when their sessions time out);
>>
>>At 09:22 AM 6/14/2005, you wrote:
>>>What is the best way to detect two people being logged in concurrently using
>>>the same account? This is one aspect of my efforts to restrict fraudulent
>>>access. Again, I don't want to use Acegi since it seems to break the rest of
>>>my app. So, what's the best way to do this 'traditionally'?
>>>
>>>Thanks!
>>>
>>>Michael
>>>
>>>
>>>---------------------------------------------------------------------
>>>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>>>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>>
>>
>>--
>>
>>David Rickard
>>Software Engineer
>>
>>TechBooks/GTS
>>Your Single Source Solution!
>>Los Angeles CA * York, PA * Boston,MA * New Delhi, India
>>Visit us on the World Wide Web
>><http://www.techbooks.com>http://www.techbooks.com
>>
>>david.rickard@techbooks.com
>>5650 Jillson St., Los Angeles, CA 90040
>>(323) 888-8889 x331
>>(323) 888-1849 (Fax)
>>
>
--
David Rickard
Software Engineer
TechBooks/GTS
Your Single Source Solution!
Los Angeles CA * York, PA * Boston,MA * New Delhi, India
Visit us on the World Wide Web
<http://www.techbooks.com>http://www.techbooks.com
david.rickard@techbooks.com
5650 Jillson St., Los Angeles, CA 90040
(323) 888-8889 x331
(323) 888-1849 (Fax)
Re: Concurrent login detection - how?
Posted by Michael Mehrle <mi...@datasaur.com>.
That actually goes to the heart of my question: HOW do I detect when their
session times out? ;-)
I know the 'strategy' of doing this, but I don't know how to capture a
timed-out session - technically. Any input would be welcome.
TIA,
Michael
----- Original Message -----
From: "David Rickard" <Da...@techbooks.com>
To: "Tomcat Users List" <to...@jakarta.apache.org>
Sent: Tuesday, June 14, 2005 9:53 AM
Subject: Re: Concurrent login detection - how?
> Remove IDs from the List when users log out (and add a
> ServletContextListener to catch people who leave the site without logging
> out--remove their IDs when their sessions time out);
>
> At 09:22 AM 6/14/2005, you wrote:
>>What is the best way to detect two people being logged in concurrently
>>using
>>the same account? This is one aspect of my efforts to restrict fraudulent
>>access. Again, I don't want to use Acegi since it seems to break the rest
>>of
>>my app. So, what's the best way to do this 'traditionally'?
>>
>>Thanks!
>>
>>Michael
>>
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>>
>
>
> --
>
> David Rickard
> Software Engineer
>
> TechBooks/GTS
> Your Single Source Solution!
> Los Angeles CA * York, PA * Boston,MA * New Delhi, India
> Visit us on the World Wide Web
> <http://www.techbooks.com>http://www.techbooks.com
>
> david.rickard@techbooks.com
> 5650 Jillson St., Los Angeles, CA 90040
> (323) 888-8889 x331
> (323) 888-1849 (Fax)
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: Concurrent login detection - how?
Posted by David Rickard <Da...@techbooks.com>.
Don't know if this is an optimum solution, but it should work:
Keep a List or Vector of IDs for active users in a shared,
application-level object (probably ServletContext);
When someone logs in, search the List for the submitted ID: if not present,
continue with login sequence; if present, kick them to the "duplicate
login" page;
Remove IDs from the List when users log out (and add a
ServletContextListener to catch people who leave the site without logging
out--remove their IDs when their sessions time out);
At 09:22 AM 6/14/2005, you wrote:
>What is the best way to detect two people being logged in concurrently using
>the same account? This is one aspect of my efforts to restrict fraudulent
>access. Again, I don't want to use Acegi since it seems to break the rest of
>my app. So, what's the best way to do this 'traditionally'?
>
>Thanks!
>
>Michael
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
--
David Rickard
Software Engineer
TechBooks/GTS
Your Single Source Solution!
Los Angeles CA * York, PA * Boston,MA * New Delhi, India
Visit us on the World Wide Web
<http://www.techbooks.com>http://www.techbooks.com
david.rickard@techbooks.com
5650 Jillson St., Los Angeles, CA 90040
(323) 888-8889 x331
(323) 888-1849 (Fax)