Hi All,
I have a problem related to the login mechanism.
Currently, I am working on one j2ee application, which uses login mechanism to allow user
gain access of application. Now I need to do the following.
If user logs in with his/her own username/password from one PC, then
(1) Application should not allow logging in with same username/password from other PC.
(2) Application should not allow logging in with same username/password from same PC using
another browser window.
(3) Application should able to handle unexpected log out like shutting down PC, crashing browser window, accident killing of browser window etc.
I am using JSP, servlet, EJB with Oracle 9IAS as application server on appache web server.
Using oracle 8I database.
Can anyone suggest me what could be the possible solutions to implement this efficiently.
Any suggestion is highly appreciated.
Thanks in advance.
Himanshu

I dont think there is some straight forward way for this. These are my thoughts.
Assuming that, you are using a central servlet, where every request goes to the servlet and distributes from there.
(1) Application should not allow logging in with same username/password from other PC.
(Have a singleton class or instance hashmap to store the active user information to know who logged-in and logged out at a moment, for this you can use sessionBindingListener which fires an event whenever a user logged in, loogedout. with this u can restrict the user not to login second time).
(2) Application should not allow logging in with same username/password from same PC using
another browser window.
(3) Application should able to handle unexpected log out like shutting down PC, crashing browser window, accident killing of browser window etc.
(The extension of the above answer. This is little difficult to achieve, because there is no control on closing the borwser. THe session will expire only after certain amout of time. so u cant control that. My sugession is that, maintain a window name for the result page(or login page). pass the result to that window. so, even if a person trying to login from two browsers, his response will go to only one browser..)
But....!!! user can still use the two browsers. After he logs-in and press control+N, the same session will be shared, and he can operate on these two windows. How can you control that?? he need not even log-in second time to use another browser.

To prevent one user on multiple PCs, you need some kind of state (in memory, database, etc) that tracks who is logged on where by IP addresses or whatever applies to your client.
If you prevent multiple logons be sure to allow some mechanism for clearing that state. It's easy to get things messed up so the state thinks someone is logged on when they're not so they cannot log on again.
Detecting close browser is tough. Heavy weight solution: Run an applet with a socket connection to server, have the server ping the applet every so often to see if it's still alive. I've seen this done in work routing applications that have to know when the client is available.
Kamal mentioned Ctrl-N (file/new/window in IE) to get a new browser window. In the past, we have had to distinguish between this which shares cookies and session stuff, and starting a new instance of IE which does not. On a couple projects we allowed multiple login from same machine and the second login invalidated the first session so the first window no longer worked. Not pretty.

Hi dudes,
correct me if i am wrong.
This is the way i would look at the solution. My solution might be comparitively slower, if u get a faster alternative do let me know as well.
1.No 2 browsers should enable same person logging in.
I would have a flag column in the database in my login and password table. When someones inside, i say the flag is 1/True... whatever. So everytime someone logs in i know by the status of this flag.
As far as Ctrl N stuff is concerned, thats a tricky one, wud still need to think on it.
And for the accidental/deliberate shutting down/browser closing is concerned,
u could reset the above mentioned flag once the default time(time for which if browser is inactive u log off a person) is over u need to log him off automatically.

I'd probably try to keep the user's location (IP address) maybe in a session table rather than a flag in the user table. And I'd let them log in twice from the same location.
This would let them log in from two IE instances which is not real good. In other apps I've worked on, doing so established a new session and wiped out the old one, making the old IE window "no longer logged in." Not pretty, but we lived with it.
But if we don't allow them to log in again and they accidentally close a browser they are locked out for the time-out period. My customers report the dollar value of every minute of downtime for every user and I don't want to be on that list because they are locked out!

Forgot to ask - Do you have an option to BUY a solution? Look at SiteMinder by Netegrity. Buy vs build saves coding time and long term ownership issues, plus products like SiteMinder give you good single signon - one login for a whole collection of cooperating applications. That's hard to build from scratch!
http://www.netegrity.com/products/products.cfm?page=SMoverview