Forums Register Login

access to all sessions?

+Pie Number of slices to send: Send
Here's the scenario:
a websystem with user accounts, and as each user logs in, their user info is stored in their session.
Now, a user admin can go and change/update ppls information - is it possible to search through everybody's session objects to find that user info and update it>
+Pie Number of slices to send: Send
In general, no.
However, it is quite possible to instead place an object (such as, for example, a HashMap keyed on userid or sessionid) in the application context rather than the session context. Each user session can then update its own details in the central object, and your admin servlet can have access to all the details from all the user sessions.
+Pie Number of slices to send: Send
Good suggestion.
But how would I handle logouts? Assuming that users will just close the browser instead of logging out, how would I know to remove a user info from the application context? I don't want to write a task that repeatedly checks last user activity every 30 mins.
On the other hand, is this the best way to do this?
I could just keep permanent data in the session, such as just the user id, but I'd like menu options to show up on the JSPs depending on a user's permissions, which can be modified.
[ August 29, 2003: Message edited by: Phil Chuang ]
+Pie Number of slices to send: Send
Access to all sessions in a servlet context was part of an early version of the servlet API but they quickly realized that it was a security hole.
A number of early methods got deprecated - see for instance the getServlet( name ) method.
While you are looking at the API, look at the various Listeners such as HttpSessionBindingListener interface for the answer to your tracking the expired sessions problem.
Bill
+Pie Number of slices to send: Send
Hi,
The following is a partial solution that you may find useful. However, please be advised that if your web application works in clustered environment you will need to take extra care synchronizing user information.
1. Create a Global Repository class (a Singleton with a HashMap ) and helper methods to add/remove/update HttpSession object based on the user id or the session id whichever is unique. This is similar to what Frank has mentioned earlier.
Alternatively you can also use the ServletContext to store the session information as advised in the earlier posting. In this case the Global Repository becomes a mere conveniece wrapper to the SevletContext and provides helper method as above.

2. Create a Session Cleanup class that implements the HttpSessionBindingListener. The constructor will typically take the session id or the user id whichever you use to lookup HttpSession from Global Repository/ServletContext. Since this class implements the HttpSessionBindingListener you must provide implementation of valueBound and valueUnbound. The valueBound is just an empty stub.
The valueUnbound is a callback method and gets called when the user session gets invalidated ( if HttpSession.invalidate() or session timeout occurs as configured in your web application <session-timeout> element). You can do the required cleanup to remove the user information from the Global Repository ( you already have the user/session to lookup passed to C'tor)
3. When you store the user information in session also create an instance of Session Cleanup and store it in the HttpSession. Also store the HttpSession in the Global Repository/ServletContext class using the helper methods.
4. Now let us say an Administrator updates some of the user information. The handler code will call a Global Repository helper method that iterates through the collection finds out the HttpSession. Retrieve user information and compares it against the user id entry and when it finds the one that matches updates it as required.
Hope this helps.
Good Luck!!!
There's a hole in the bucket, dear Liza, dear Liza, a hole in the bucket, dear liza, a tiny ad:
a bit of art, as a gift, that will fit in a stocking
https://gardener-gift.com


reply
reply
This thread has been viewed 644 times.
Similar Threads
Last visit date/time not equal in different computers [DONE]
HttpSession-object
end session scope of bean
HttpSessions getting mixed up
How to ge know which users are using an app?
More...

All times above are in ranch (not your local) time.
The current ranch time is
Mar 28, 2024 09:46:59.