how to prevent multiple login by the same user
posted 15 years ago
Hello everyone,
I am developing an application that needs to prevent a user from carrying out multiple login using the same account.
I obviously need to do something with the user session, but i really don't have a clear idea about it. I would appreciate any help on this.
thanks.
I am developing an application that needs to prevent a user from carrying out multiple login using the same account.
I obviously need to do something with the user session, but i really don't have a clear idea about it. I would appreciate any help on this.
thanks.
posted 15 years ago
Hi
Please go through the Session Tracking API.
The general way is create a session ID and generate a cookie with the session ID as value and add it to the response.
I believe for every client a particular instance of the servlet is run, in that case even though you generate the sessionID, some one can very well login from new browser from the same PC which very often happens with our email accounts, In that case you have two option either write the session ID into a global variable (I am not sure but you can set the properties) and check every time the page is requested. You cannot write the variable into an array as the array is dynamically generated and will get destroyed as soon as the instance is finished and is only accessible to that particular servlet object.
The other option is write to a temporary file and always check wether the session ID is registered, ofcourse you try to develop a timestamp to remove the session registered after a particular time.
I wish some one give more information on how can we set global variables dynamically instead of using temporary files. I tried once never I got the result.
Please go through the Session Tracking API.
The general way is create a session ID and generate a cookie with the session ID as value and add it to the response.
I believe for every client a particular instance of the servlet is run, in that case even though you generate the sessionID, some one can very well login from new browser from the same PC which very often happens with our email accounts, In that case you have two option either write the session ID into a global variable (I am not sure but you can set the properties) and check every time the page is requested. You cannot write the variable into an array as the array is dynamically generated and will get destroyed as soon as the instance is finished and is only accessible to that particular servlet object.
The other option is write to a temporary file and always check wether the session ID is registered, ofcourse you try to develop a timestamp to remove the session registered after a particular time.
I wish some one give more information on how can we set global variables dynamically instead of using temporary files. I tried once never I got the result.
s.r.k.reddy<br />Good Luck.
posted 15 years ago
Hi Inah,
What you can do is to keep a sort of "User" bean in the application (and not session) context so that it is visible to the whole app. This bean then has an instance variable of type Vector where you keep all the user's login info (user id, name, etc.). Then everytime a user logs in, you check whether that user is already in the User bean. Please remember to remove a user from the bean at logout (that explains an instance variable of type Vector because it will do a lot of resizing).
Hope that helps.
Ex Animo Java!
-- Val
What you can do is to keep a sort of "User" bean in the application (and not session) context so that it is visible to the whole app. This bean then has an instance variable of type Vector where you keep all the user's login info (user id, name, etc.). Then everytime a user logs in, you check whether that user is already in the User bean. Please remember to remove a user from the bean at logout (that explains an instance variable of type Vector because it will do a lot of resizing).
Hope that helps.
Ex Animo Java!
-- Val
"Knowledge is power, but enthusiasm is the key." -- Lavern Barn
posted 15 years ago
Using sessions could be part of the solution, and beans could help too, but you still haven't covered what happens if a user doesn't logout. First have a read of this similar thread
(I also recommend searching the JavaRanch Saloon for 'multiple user login' or similar)
The main problem is that if you 'lock a user out' from logging in, there is no definite way to make sure they have left the site and can therefore login again. You have to maintain some user-management list which duplicates some session functionality but is not the same.
(I also recommend searching the JavaRanch Saloon for 'multiple user login' or similar)
The main problem is that if you 'lock a user out' from logging in, there is no definite way to make sure they have left the site and can therefore login again. You have to maintain some user-management list which duplicates some session functionality but is not the same.
posted 15 years ago
Why not ? You have a collection object of scope application which contains the user objects .
To manage the logout of users ... we will also have a bean of scope session which will implement HttpSessionBindlingListener.
Now, when the user logs out normally, we invalidate the session, and the value unbound method of the session management bean gets called automatically( and updates the collection of logged on users)
If the user does not log off(but closes the browser) .. his session will time out automatically and at that time valueUnbound method gets called and at that time we can remove the user from the logged on list...
And I need not mention that access to the collection object in scope application should be synchronous...
To manage the logout of users ... we will also have a bean of scope session which will implement HttpSessionBindlingListener.
Now, when the user logs out normally, we invalidate the session, and the value unbound method of the session management bean gets called automatically( and updates the collection of logged on users)
If the user does not log off(but closes the browser) .. his session will time out automatically and at that time valueUnbound method gets called and at that time we can remove the user from the logged on list...
And I need not mention that access to the collection object in scope application should be synchronous...
Originally posted by David O'Meara:
The main problem is that if you 'lock a user out' from logging in, there is no definite way to make sure they have left the site and can therefore login again. You have to maintain some user-management list which duplicates some session functionality but is not the same.
Shubhrajit
posted 15 years ago
So if someone closes their browser without logging out, they cannot login for a period of time until the session expires on the server.
The question still is: how long will this be and is this acceptable behaviour?
It's a problem that has to solved on a per-case basis, but personally I find that it's easier to allow users to log in multiple times and manage that instead.
eg: If you're preventing multiple logins so that you don't have to worry about synchronizing user resources, you can't stop them opening multiple browser windows with the same session ID.
Guess I see it as the right solution to the wrong problem...
The question still is: how long will this be and is this acceptable behaviour?
It's a problem that has to solved on a per-case basis, but personally I find that it's easier to allow users to log in multiple times and manage that instead.
eg: If you're preventing multiple logins so that you don't have to worry about synchronizing user resources, you can't stop them opening multiple browser windows with the same session ID.
Guess I see it as the right solution to the wrong problem...
Shubhrajit Chatterjee
Ranch Hand
Posts: 356
posted 15 years ago
Yep .. we cannot prevent this ... incidentally this happens in IBM OS/390 mainframes too
What is an acceptable time limit ... that depends on the app
I do agree with you , wholeheartedly ... but clients fix the requirments ... we implement it
Originally posted by David O'Meara:
So if someone closes their browser without logging out, they cannot login for a period of time until the session expires on the server.
Yep .. we cannot prevent this ... incidentally this happens in IBM OS/390 mainframes too
What is an acceptable time limit ... that depends on the app
It's a problem that has to solved on a per-case basis, but personally I find that it's easier to allow users to log in multiple times and manage that instead.
Guess I see it as the right solution to the wrong problem...
I do agree with you , wholeheartedly ... but clients fix the requirments ... we implement it
Shubhrajit
Val Pecaoco
Ranch Hand
Posts: 156
posted 15 years ago
Hi guys,
Maybe this boils down to the issue of HTTP being session-less? I've read somewhere that there are moves (from a guy from Redmond?!) to revamp the current (aging) specification of HTTP to make it more attuned to the times.
Back to the thread...I've already implemented an app based on this kind of policy (single user/single sign-on session), and from my experience there was no suitable solution to that of a user just closing the browser and not formally logging out. But what I did was to inform the user that he/she still has a live session and he/she couldn't log in until that session times out. Furthermore, I inform him/her that it is a security feature of the app and that's how things work. Maybe that way it will encourage the user to use the log out button the next time around. (It doesn't require a great energy to click the log out button, just one little flip of a finger.)
Just my $0.02
Ex Animo Java!
-- Val
[ July 24, 2002: Message edited by: Val Pecaoco ]
Maybe this boils down to the issue of HTTP being session-less? I've read somewhere that there are moves (from a guy from Redmond?!) to revamp the current (aging) specification of HTTP to make it more attuned to the times.
Back to the thread...I've already implemented an app based on this kind of policy (single user/single sign-on session), and from my experience there was no suitable solution to that of a user just closing the browser and not formally logging out. But what I did was to inform the user that he/she still has a live session and he/she couldn't log in until that session times out. Furthermore, I inform him/her that it is a security feature of the app and that's how things work. Maybe that way it will encourage the user to use the log out button the next time around. (It doesn't require a great energy to click the log out button, just one little flip of a finger.)
Just my $0.02
Ex Animo Java!
-- Val
[ July 24, 2002: Message edited by: Val Pecaoco ]
"Knowledge is power, but enthusiasm is the key." -- Lavern Barn
no_nos
Greenhorn
Posts: 4
posted 15 years ago
thanks everyone for your help..
I guess the best option maybe is to create a bean at the application level and not session as described by Val. Using the session timeout, logout and login functionalities to describe the ppty of the bean, and also ensuring the user is informed of a life-session incase a browser is just closed.
..but i am abit worried about how to coordinate activity b/w the bean and the browser to know when a user just closes the browser..
Inah.
thanks everyone for your help..I guess the best option maybe is to create a bean at the application level and not session as described by Val. Using the session timeout, logout and login functionalities to describe the ppty of the bean, and also ensuring the user is informed of a life-session incase a browser is just closed.
..but i am abit worried about how to coordinate activity b/w the bean and the browser to know when a user just closes the browser..
Inah.
posted 15 years ago
HI,
Here’s something that work in JavaScript for IE (but not very clean).
In the onUnLoad event of the html tag, use the mouse position to determine if the browser close button has been click (x and y coordinates are always negative for this button):
Function unLoadPage ()
{
if ( window.event)
{
if (window.event.clientX < 0 && window.event.clientY < 0 )
{
// do something
document.location.href = '';
}
}
window.self.close;
}
Hope this helps for browser closing.
Regards,
Piyush
Here’s something that work in JavaScript for IE (but not very clean).
In the onUnLoad event of the html tag, use the mouse position to determine if the browser close button has been click (x and y coordinates are always negative for this button):
Function unLoadPage ()
{
if ( window.event)
{
if (window.event.clientX < 0 && window.event.clientY < 0 )
{
// do something
document.location.href = '';
}
}
window.self.close;
}
Hope this helps for browser closing.
Regards,
Piyush
"A scientist is not person who gives right answers but a person who asks right questions"
posted 15 years ago
And remember you still can't tell if the browser crashes, the OS crashes, the machine is just switched off or someone pulls the plug, the network goes out for a while etc. etc.
The best you can get from a browser is a hint, sometimes, that the user has logged off. you should never rely on it.
The best you can get from a browser is a hint, sometimes, that the user has logged off. you should never rely on it.
| Don't get me started about those stupid light bulbs. |