• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Tim Cooke
  • paul wheaton
  • Liutauras Vilda
  • Ron McLeod
Sheriffs:
  • Jeanne Boyarsky
  • Devaka Cooray
  • Paul Clapham
Saloon Keepers:
  • Scott Selikoff
  • Tim Holloway
  • Piet Souris
  • Mikalai Zaikin
  • Frits Walraven
Bartenders:
  • Stephan van Hulst
  • Carey Brown

How to block multiple logins of the same user

 
Ranch Hand
Posts: 341
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
What is the best way to block or prevent someone from login more than once at the same time with the same user?
 
Ranch Hand
Posts: 5093
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
You'll have to maintain a list of logged in users and check that list before you attempt to verify the password.
Make sure you also have a job running which clears any logged in users whose sessions have timed out out of the list (SessionListener might be a good way to do this).
 
author & internet detective
Posts: 42055
926
Eclipse IDE VI Editor Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
You have to be careful with this. What if I close the browser window and try to log in again? My original session still exists and has not been invalidated. Do you want the user to have to wait 30 minutes to have to get back in?
I would add an "are you sure" type mechanism if the user tries to log in again. If he really wants to log in, you could invalidate the first (inaccessible) session.
 
Ranch Hand
Posts: 937
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Jeanne Boyarsky:
You have to be careful with this. What if I close the browser window and try to log in again? My original session still exists and has not been invalidated. Do you want the user to have to wait 30 minutes to have to get back in?.



If a user closes the browser and opens a new browser , then the user will be assigned a new session rt? so why the user want to wait 30 minutes?


I would add an "are you sure" type mechanism if the user tries to log in again. If he really wants to log in, you could invalidate the first (inaccessible) session


can u pls explain what is that "are you mechanism.
 
Ranch Hand
Posts: 3178
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by sunitha ragam:

can u pls explain what is that "are you mechanism.


That mechanism can make sure that the system will invalidate the user's previous session, create a session and associate with the user as a newly created session... We are not supposed to wait until the session time out to login again... Hope it helps....
 
Ranch Hand
Posts: 452
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
If a user closes the browser and opens a new browser , then the user will be assigned a new session rt? so why the user want to wait 30 minutes?
This is exactly what we dont want, we dont want that the same user can login multiple times. At Server session will be maintained for 30 min(or time specified in web.xml). So for next 30 min server will assume that this same user is trying to login again. In this situation there are two options
1. do nothing user will wait for 30 min before he can login
2. if user logs in again, than invalidate previous sessions.
The second option is preferred(It is used in Yahoo Messenger as well).
 
Ranch Hand
Posts: 8945
Firefox Browser Spring Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

I would add an "are you sure" type mechanism if the user tries to log in again. If he really wants to log in, you could invalidate the first (inaccessible) session


Could you please tell me how to invalidate the previous user session? How do you get hold of the previous session id?
[ January 29, 2004: Message edited by: Pradeep Bhat ]
 
Ko Ko Naing
Ranch Hand
Posts: 3178
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Pradeep Bhat:

Could you please tell me how to invalidate the previous user session? How do you get hold of the previous session id?
[ January 29, 2004: Message edited by: Pradeep Bhat ]


Using external resources like database.. But I believe that it's not an efficient way.....
 
Ranch Hand
Posts: 121
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Another alternative is to store session state in business tier - using session bean..
 
Pradeep bhatt
Ranch Hand
Posts: 8945
Firefox Browser Spring Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Ko Ko Naing:

Using external resources like database.. But I believe that it's not an efficient way.....


You mean to say that storing session id in database? How will it work?
How do I get the session using a session id?
[ January 29, 2004: Message edited by: Pradeep Bhat ]
 
Ranch Hand
Posts: 1400
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Pradeep Bhat:

Could you please tell me how to invalidate the previous user session? How do you get hold of the previous session id?
[ January 29, 2004: Message edited by: Pradeep Bhat ]


How about this ...
Moment the user logs-in and a session is created for the user, put the session object in the servlet context against the userId "String".
Now if the user tries to re-login, before creating the session try to see if there is any session object against that user-id "String" in servlet context, and if there is .. invalidate that session and create a new session.
 
Varun Khanna
Ranch Hand
Posts: 1400
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Steffy:
Another alternative is to store session state in business tier - using session bean..


So till now you got away with this??
 
Pradeep bhatt
Ranch Hand
Posts: 8945
Firefox Browser Spring Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Varun Khanna:

How about this ...
Moment the user logs-in and a session is created for the user, put the session object in the servlet context against the userId "String".
Now if the user tries to re-login, before creating the session try to see if there is any session object against that user-id "String" in servlet context, and if there is .. invalidate that session and create a new session.


..and dont forget to remove the session from Servlet context when the session timeout
 
Ko Ko Naing
Ranch Hand
Posts: 3178
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Pradeep Bhat:

You mean to say that storing session id in database? How will it work?
How do I get the session using a session id?
[ January 29, 2004: Message edited by: Pradeep Bhat ]


Saving user id, when he/she first logged into the system with a flag in the database and using that flag to determine whether he/she has logged out from the system or not... And the next time when he/she logged in, check that flag to know whether he/she has logged out from the system or not... Of course it's not an efficient way...
 
Pradeep bhatt
Ranch Hand
Posts: 8945
Firefox Browser Spring Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Ko Ko,
Consider
1. User logs in
2. Database updated to logged status
3. Application server crashes
4. user tries to log in again
5. User cannot login because of the logged status (of course we could clear teh flags when the app server starts)
 
Ko Ko Naing
Ranch Hand
Posts: 3178
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Pradeep Bhat:
Ko Ko,
Consider
1. User logs in
2. Database updated to logged status
3. Application server crashes
4. user tries to log in again
5. User cannot login because of the logged status (of course we could clear teh flags when the app server starts)


Yeah, Pradeep.... That's what I mean as well... It's nice that we have such conversation like we did b4..
How's ur SCWCD Beta exam? I know u could do it, couldn't u? :roll:
 
Pradeep bhatt
Ranch Hand
Posts: 8945
Firefox Browser Spring Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

How's ur SCWCD Beta exam? I know u could do it, couldn't u?


Dont ask.
 
sunitha reghu
Ranch Hand
Posts: 937
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Ko Ko Naing:

That mechanism can make sure that the system will invalidate the user's previous session, create a session and associate with the user as a newly created session... We are not supposed to wait until the session time out to login again... Hope it helps....



I know that but the que how to invalidate prev session in an efficient way
which no one could'nt answer till now.
 
Ko Ko Naing
Ranch Hand
Posts: 3178
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by sunitha ragam:


I know that but the que how to invalidate prev session in an efficient way
which no one could'nt answer till now.


Simply use request.getSession().invalidate(); or it will be automatically invalidated by the web container after the session time out... What we set in the database is just a flag to show that the the user did not log out in the past.... The session might already be invalidated a long time ago... Hope it is clear...
 
Jeanne Boyarsky
author & internet detective
Posts: 42055
926
Eclipse IDE VI Editor Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I wouldn't use a database for storing the session id. As pointed out earlier, there are synchonization issues. More importantly, I wouldn't want to have the overhead of accessing the database an extra time whenever any user does something.
I would create a map (in application scope) with the username as a key and the session as a value. A session listener could be used to delete the session from the map when the session is invalidated or timed out. If the user wants to log in a second time, this provides an easy place to locate the old session and explicitly invalidate it.
 
sunitha reghu
Ranch Hand
Posts: 937
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Again I KNOW request.getSession().invalidate(); or it will be automatically invalidated by the web container after the session time out...
That is why in web.xml we write session time out to invalidate the session
for the web conmtainer to invalidate...
But the que here suppose the user logged with one browser open and again opened one more window and logged again. In that sceanrio how to invalidate the session. I think instead of going to db and setting the flag and all stuff which hits the performance, its better to get the ip and then invalidate
Hope its clear to you.

Originally posted by Ko Ko Naing:

Simply use request.getSession().invalidate(); or it will be automatically invalidated by the web container after the session time out... What we set in the database is just a flag to show that the the user did not log out in the past.... The session might already be invalidated a long time ago... Hope it is clear...


[ January 30, 2004: Message edited by: sunitha raghu ]
 
Ko Ko Naing
Ranch Hand
Posts: 3178
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Jeanne Boyarsky:
I would create a map (in application scope) with the username as a key and the session as a value. A session listener could be used to delete the session from the map when the session is invalidated or timed out..


What if ur application is down? Then everything inside that map will be gone... As I have mentioned b4, using external resources like database is not an efficient way, they r not volatile... And it is not a smart way to save the session id... Pradeep Bhat have already mentioned it... So we have to use user id and a flag to mark the login status...
 
Ko Ko Naing
Ranch Hand
Posts: 3178
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by sunitha raghu:
I think instead of going to db and setting the flag and all stuff which hits the performance, its better to get the ip and then invalidate
Hope its clear to you.


Well if u r going to use the volatile variables, what if ur web app is down? U might want to have a look at my post above about it... Anyway, this discussion is some kind of worthy one... Let's try to solve it till we get the most reasonable answer...
 
sunitha reghu
Ranch Hand
Posts: 937
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
When the web app went down seesion got invalidated.
then i dont need to worry abt users multiple loggin.
Issue is not that.
{Hope its clear now}

Originally posted by Ko Ko Naing:

Well if u r going to use the volatile variables, what if ur web app is down? U might want to have a look at my post above about it... Anyway, this discussion is some kind of worthy one... Let's try to solve it till we get the most reasonable answer...

 
Jeanne Boyarsky
author & internet detective
Posts: 42055
926
Eclipse IDE VI Editor Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Sunitha,
The IP address isn't enough to be unique. At work we go through a proxy server so it looks as if everybody is going though the same IP.
The session id is unique. I'm not sure how we got away from that.
 
Ranch Hand
Posts: 76
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
So the answer is still not clear.
I would use a database and store the session related information in database. There is no point saying that if Database goes down! There is always some backup for the database. So the best way is store the user session info and if user logs in again, invalidate the previous messgage. I think other appraoches are quite difficult to manage.
Please suggest a better approach, if someone can?
 
Politics n. Poly "many" + ticks "blood sucking insects". Tiny ad:
Gift giving made easy with the permaculture playing cards
https://coderanch.com/t/777758/Gift-giving-easy-permaculture-playing
reply
    Bookmark Topic Watch Topic
  • New Topic