Win a copy of Functional Reactive Programming this week in the Other Languages forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

JSP Session and validation

 
samart mateo
Ranch Hand
Posts: 37
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I have a problem on user validation. For security, the system would allow only 1 user under the same userID to logged in at one time. For this, I stored the user's status in the DB. The problem came when the user exits the system by clicking the browser's close button or the computer suddenl shuts down. The server would still had the user's status as online. So, when the same user would like to logged back in,the system would deny his entry.

my question is :

1. Let say a false user had logged in using my ID. And later i would logged in using my ID. How do i terminate the false user's authorization. I'm using JSP session for validation. How could I deny the false user's jsp session?

2. How to clear the log data in the DB when the system suddenly shuts down, so that the user's status would be declared as offline again.

I think the banking system would have the same security issue as mine. If anybody had experience the same problem, please help me. Thank you.
 
Bear Bibeault
Author and ninkuma
Marshal
Pie
Posts: 65223
95
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
There is no reliable way -- as you have discovered in your other posted questions -- to know when the user has exited your site. You simply need to rely on the session timeout to tell you that a session has been inactive beyond the timeout limit.
 
Eddy Lee Sin Ti
Ranch Hand
Posts: 135
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
There are a few online banking system that i used implements the following:

1. use JavaScript in browser to logoff the user when the browser close down. (body.onunload)

2. implements a HttpSessionListener to clear user login status

If you worry about the subsequent login being blocked by the first one, you can provide a overriding screen for the user to provide password to "kick off" previous logon.
 
Adeel Ansari
Ranch Hand
Posts: 2874
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Eddy Lee Sin Ti:
1. use JavaScript in browser to logoff the user when the browser close down. (body.onunload)


It would definitely work in a happy scenerio. But as Bear already said, "there is no reliable way to do that". Its worthy to implement this one too, I must say.
 
Pradeep bhatt
Ranch Hand
Posts: 8933
Firefox Browser Java Spring
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Wouldn't it be possible to store to currently logged in user info in memory rather than db? When session time outs remove the user entry even if the user failed to log out. I am assuming that you are not working in a non clustered environment.
 
samart mateo
Ranch Hand
Posts: 37
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Pradip Bhat:
Wouldn't it be possible to store to currently logged in user info in memory rather than db? When session time outs remove the user entry even if the user failed to log out. I am assuming that you are not working in a non clustered environment.


I need to lock some 'editing capabilities' of certain pages from other user if one user is currently using that page.

For example, a user is currently editing the statuses of manufacturing parts of a project. And another user open that page that holds the same project. The first user then saved his changes. And then, the second user saves his changes. The second saves would overwrite the first saves.

To avoid this, I stored the user log status in the db. So, if a user is currently accessing a certain page, the system would lock the page from other user. If there's a way in JSP that the server could detect different session from different workstations, please let me know how to solve this.

Thank you all for your replies. However I havent tried HTTPListener yet. Thank you very much.
 
Adeel Ansari
Ranch Hand
Posts: 2874
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by samart mateo:
I need to lock some 'editing capabilities' of certain pages from other user if one user is currently using that page.

For example, a user is currently editing the statuses of manufacturing parts of a project. And another user open that page that holds the same project. The first user then saved his changes. And then, the second user saves his changes. The second saves would overwrite the first saves.

To avoid this, I stored the user log status in the db. So, if a user is currently accessing a certain page, the system would lock the page from other user. If there's a way in JSP that the server could detect different session from different workstations, please let me know how to solve this.

Thank you all for your replies. However I havent tried HTTPListener yet. Thank you very much.


It sounds like write lock to me. Most of the databases do it for you.

If you want to stop the second user to view it as well then you can try a read lock then. We normally do it with select..for update query in Oracle. DB2 and SQLServer also provide read lock queries.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic