• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Tim Cooke
  • paul wheaton
  • Jeanne Boyarsky
  • Ron McLeod
Sheriffs:
  • Paul Clapham
  • Liutauras Vilda
  • Devaka Cooray
Saloon Keepers:
  • Tim Holloway
  • Roland Mueller
Bartenders:

Prevent Duplicate Logins

 
Ranch Hand
Posts: 375
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I have a simplet servlet which maintains active users. They are active when they successfully login, and deamed inactive if they manually click on the logout button from the client, which is used to remove them from a HashMap of current users.

The problem is that if the user just closes the browser, I don't know how to determine this to remove them from the HashMap of active users. I realise that no messege is sent from the client to the server when a user agent is closed. So how can I do this? I already have a session timeout, but this is not so good because if the user accidently closes the browser, they will not be able to log back in until the old session times out. The whole point of my servlet is to prevent duplicate login's, so they will be locked out until the session terminates, before being able to get back in again.

Can anyone think of a better solution to prevent duplicate logins? I simply store the username in the HashMap as a String object (the username parameter), and everytime a client tries to login, the servlet checks to see if the username matches an existing username in the HashMap, if not, they are authenticated and if successful, added to the HashMap ready for the next login attempt.

I have already searched but found nothing concrete.
[ March 30, 2005: Message edited by: Kashif Riaz ]
 
Ranch Hand
Posts: 149
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Kashif,

no concrete? But "Es kommt drauf an, was man draus macht "

... anyway

I think there is no elegant way to solve this. This question arises on
a very regular base here. We have much better persistence with Servlets
than we had in the olde CGI days, but since essential client events
simply dont exist( having a "browserInstanceClosed" Event in JavaScript
would be paradise ) you have to cope with this annoying phenomenon.

So closing the window means leaving the context of authenticated usage
for the user.

Only thing i could imagine would be the use of a handcarved session-cookie
on the client side, but that would mean cookies need to be enabled for your
application to run.

And since we can read so many bad things in the popular computer press about
cookies (drink all the cold beer in the fridge and replace it with lukewarm
diet pepsi, tell your wife the phonenumber of your girlfriend and even
worse - vice versa) chances are the coward user will have cookies disabled.




J.
[ March 30, 2005: Message edited by: Jeffrey Spaulding ]
 
Ranch Hand
Posts: 39
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Kashif,

I (along with about 1 million other people, it seems) had this problem and 'solved' it by checking the hash map of logged in users to see if the user was already logged in. If so I transferred all the session attributes over to the newly created session and automatically invalidated the old one.

This had the effect of restoring a user's old session if they logged in before the session timed out, otherwise a new session was created from scratch. It's not a particularly elegant solution and causes quite interesting problems if a user tried to log in twice on different browsers, but it was better than nothing.

cheers,
Pete
 
Ranch Hand
Posts: 232
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
There is a interesting way to solve this.
There is one function in javascript which is onUnload() function. When a browser window is closed, then this unlooad function is called. use the code and tell us all whether this can solve your problem. By the way this works only with IE. Yet to research in Netscape and Mozilla.



In the servlet "LogOff" remove the user from the HashMap and give a message which says "you have been logged off". The message will appear in a popup window.

Hope this helps. Let me know if this has solved your problem.
 
K Riaz
Ranch Hand
Posts: 375
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks for the replies.

I tried the javascript but I cannot get it to submit the form if the user agennt is closed:



Here, after the alert is called, nothing is sent to the server.

[ March 30, 2005: Message edited by: Kashif Riaz ]
[ March 30, 2005: Message edited by: Kashif Riaz ]
 
Sripathi Krishnamurthy
Ranch Hand
Posts: 232
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
<body onUnload="unloadEvent()">
<form id="pageForm" action="./controller" method="POST" name="form"><input type="hidden" name="operation" value="logout" /></form>
</body>

can you try this?
 
K Riaz
Ranch Hand
Posts: 375
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks I got it working. It also works if you supply a href in the html.
 
Sripathi Krishnamurthy
Ranch Hand
Posts: 232
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Kashif Riaz:
Thanks I got it working. It also works if you supply a href in the html.



So you are able to delete users from the HashMap when the browser is closed using the javascript? where the href come into picture?
 
Ranch Hand
Posts: 2874
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I am thinking of something else, something server-side. It is not cookies too.

Why not let the user login again and if entry already exist in map then transfer all the stuff from this session to the new session and after that delete the old entry, invalidate that session, and make a new entry.

But yes it has a problem. Assume, a user is already logged in and using the app and meanwhile same user do login from other machine then the first one automatically logged out. Dont know if it is Ok for you?
 
Ranch Hand
Posts: 1087
Oracle Spring Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Adeel Ansari:
I am thinking of something else, something server-side. It is not cookies too.



I agree with adeel, also not cookies because deleting cokkies may cause a some other condition to handle.but server side solution would be more reliable
 
K Riaz
Ranch Hand
Posts: 375
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Sripathi Krishnamurthy:


So you are able to delete users from the HashMap when the browser is closed using the javascript? where the href come into picture?



The href just sends a request to the server with the logout attribute as a parameter (cleaner way than using a form). Once the request is received by the server, it can remove the user from the HashMap.

Originally posted by Adeel Ansari:

Why not let the user login again and if entry already exist in map then transfer all the stuff from this session to the new session and after that delete the old entry, invalidate that session, and make a new entry.



I cannot do this for my application because if someone else is logged in with the same credientials as an other user, they should simply be sent a message of "Username in use". It's a requirement
[ March 31, 2005: Message edited by: Kashif Riaz ]
 
Ranch Hand
Posts: 429
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I cannot do this for my application because if someone else is logged in with the same credientials as an other user, they should simply be sent a message of "Username in use". It's a requirement

I think that's a pretty hard requirement to satisfy with web applications because of the already mentioned possibility of a user closing a browser. What might work, though it won't be pretty, is setting the session timeout very low, and using asynchronous javascript (like the XmlHttpRequest object) on every page to keep the session alive by sending a message to the server every so often.

-Yuriy
 
(instanceof Sidekick)
Posts: 8791
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I used to use a system with a logon HERE option that invalidated any other session the same username might have. You could tell the user that the username is already in use and ask if they want to log on anyhow. I don't know any better solution for somebody who kicked the network cable loose and doesn't want to wait for the session to time out.

Do users share usernames? This kind of thing just doesn't work out well if everybody in some department logs in with the same id.
 
You learn how to close your eyes and tell yourself "this just isn't really happening to me." Tiny ad:
Smokeless wood heat with a rocket mass heater
https://woodheat.net
reply
    Bookmark Topic Watch Topic
  • New Topic