• Post Reply Bookmark Topic Watch Topic
  • New Topic

Ending a "specific" session

 
Steve Su
Greenhorn
Posts: 4
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I have a JSP page that tracks all of the current sessions for administration purposes. Lets say that I currently see 5 active sessions (5 users on my website). Session #1 has sessionID: aki31Y5Uy45d. I want to know how can I manually end session #1.
I tried application.removeAttribute("aki31Y5Uy45d") but it did not work.
[ October 16, 2003: Message edited by: Steve Su ]
 
Jeanne Boyarsky
author & internet detective
Marshal
Posts: 35719
412
Eclipse IDE Java VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Steve,
You can use session.invalidate() to do that.
 
Andres Gonzalez
Ranch Hand
Posts: 1561
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Jeanne Boyarsky:
Steve,
You can use session.invalidate() to do that.

Yes, and the container takes care of the current session you're working on, so you don't have to deal with sessionIDs
 
Sainudheen Mydeen
Ranch Hand
Posts: 218
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I think Steve wants to invalidate one session out of 5 active sessions present in the container through a seperate JSP program which is monitoring the active sessions. Is that possible with session.invalidate() ?
-Sainudheen
 
Andres Gonzalez
Ranch Hand
Posts: 1561
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Sainudheen Mydeen:
I think Steve wants to invalidate one session out of 5 active sessions present in the container through a seperate JSP program which is monitoring the active sessions. Is that possible with session.invalidate() ?
-Sainudheen

session.invalidate() invalidates the current session associated with *that* request.
 
Mark Spritzler
ranger
Sheriff
Posts: 17290
9
IntelliJ IDE Mac Spring
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
So Steve's question is still not answered. His JSP page is an administration page for the web server. Doesn't the Web server already have such a maintenance page?
I don't think that JSP or Servlets in this case should have security access to other people's sessions, that would be scary in the real world. That would mean I could go to someone's web server get a list of all the sessions and kill people's sessions that I don't even know. Good Hacking tool there.
Mark
 
Praveen Garimella
Greenhorn
Posts: 5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Steve,
There is a way of getting the HttpSession Object using the getSession(java.lang.String sessionID) method of the HttpSessionContext interface. You can also get the list of all session IDs using the getIDs method of the HttpSessionInterface.
But these methods are deprecated in the Servlet 2.1 API and would be removed from the future versions of Servlet API.
Cheers
Praveen
 
Steve Su
Greenhorn
Posts: 4
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Sainudheen Mydeen:
I think Steve wants to invalidate one session out of 5 active sessions present in the container through a seperate JSP program which is monitoring the active sessions. Is that possible with session.invalidate() ?
-Sainudheen

Yes, that is what I want to do, which I don't think session.invalidate() would work in this case. My purpose of doing this is to track down somebody who logged in, made change #1 to his cart, closes the browser without logging out, logs back in before his first session times out, makes change #2 to his cart, and this time logs out properly using the logout button (this is the only place where I am able to invalidate the user). I use HttpSessionBindingListener to update my DB (user's cart) when the user logs off. The problem with the above scenario is that change #2 will go into effect immediately, and then change #1 will go into effect when the user's first session ends (~30 min. later), which is the reverse of the user's intention (change #2 to be the final change). My solution around this was to track all of the users who currently has an active session. Once I caught a user trying to log in again before his first session ends, I will help end his first session (which will make the user's change #1 go into effect right away) and allow him to start a new session. The problems comes with trying to end a specific session out of a list of active sessions.
I could have accomplish the task if I was able to capture of closing of the browser event, but apparently after searching through JavaRanch and else where the propose methods do not work. For instance, onBeforeUnload would not work because in addition to closing the browser, refreshing the browser or leaving the browser would also trigger the onBeforeUnload event.
Sorry for being so lengthy!
Any suggestions?
 
Sunil Karumuri
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Not sure if this is a good idea but definitely worked for us.
Create a data structure to store user information and add it to session during logon.
Add refereneces of session objects to a somekind of list (Arraylist) and store this list in Application object.
You now have access to all session objects and can call session.invalidate() on the selected session isntance and delete from list.
Make sure you delete the session instance from the list when the session times out using HttpSessionBindingListener
 
Amit Chandak
Greenhorn
Posts: 9
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
may be what you can do is add a listener so that your session object is persisted to the database each time an item is added/removed from the cart....
 
Mark Spritzler
ranger
Sheriff
Posts: 17290
9
IntelliJ IDE Mac Spring
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I think Sunil has a good idea. Maybe you can store a user_id in the session, then when you want to find which is their old session, you go through the sessions, find the one with that users id, then end that session. the sessions could be in an ArrayList holding their references.
Not positive if it will work, but sounds like a good idea.
Mark
 
Stan James
(instanceof Sidekick)
Ranch Hand
Posts: 8791
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I recall working on a system that kept a db entry keyed by user identity (userid) and holding a session id. If you did the scenario above the first session would write a db entry with a session id, the second session would overwrite it with another session id. Only the current session id can do any updates, so if the first session attempted an update at expire time, it would not match the db entry and would be ignored. The effect our user saw was that if they logged on one machine, then walked across the office and logged on another, the first machine no longer worked.
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!