Win a copy of Java Concurrency Live Lessons this week in the Threads forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic

How to stop multiple login for same userid and password  RSS feed

 
jainnedra singh
Greenhorn
Posts: 7
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi All,

I'm creating a site that requires people to register and login for access to certain pages.
I want to stop users from giving out their username/password to other people by denying access to more than one person using the same username at the
same time.

jainendra
 
Johnson Abraham
Greenhorn
Posts: 19
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Simplest way to achieve this is on the database side.

You can add a field like login_status number(1) in your database table which stores the information about the username and password of users. And as soon as any user logs in set, its value to 1. Now every time any other user tries to login by that username you can easily check the value in the login_status. If the value is not 1 let him login else throw error page.
As soon as the logged in user clicks logout you can set it back to 0.
[ June 04, 2004: Message edited by: Johnson Abraham ]
 
Jeroen Wenting
Ranch Hand
Posts: 5093
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
That's of course only the half of it!
You will need to keep track of when user logins expire without them logging out explicitly (session expiration most likely), and clear the login info from the database at that time or people won't be able to log back in when their session expires or they close their browser without logging out.

A far better way is to keep track of logged in users and log out existing sessions when a new session logs in.
 
Peter den Haan
author
Ranch Hand
Posts: 3252
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Seconded. If the application is a low-volume app that will always sit on a single server, you don't even need the database, just an application-scoped (ServletContext-scoped) Map that maps user to the current session ID for that user. The login code would do something like:Then on every request - probably in a servlet filter - you could do something like:The loggedOnUsers map is best initialised in a context listener when the webapp starts up. Make sure that this map is a synchronized map, e.g. a. Collections.synchronizedMap(new HashMap()). This happens to be one of the few occasions where a simple synchronized map will do the job (usually you need to synchronize by hand on a coarser-grained level).

If not using container authentication, replace request.getUserPrincipal() by something appropriate. When you need to do this on a cluster, the loggedOnUsers map needs to go into a database.

- Peter
[ June 04, 2004: Message edited by: Peter den Haan ]
 
Stan James
(instanceof Sidekick)
Ranch Hand
Posts: 8791
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Someone else posted a solution recently that if someone attempted to log on with an id that was already in use the older session was bumped off and the new one was allowed. That's a good solution for honest users who maybe closed the browser without logging off, or walked across the building and tried to log on another PC. It might also be appropriately frustrating for dishonest users who are trying to share an id.
 
sarah Marsh
Ranch Hand
Posts: 282
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Could you point out the link? Thanks!
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!