• Post Reply Bookmark Topic Watch Topic
  • New Topic

Duplicated Login

 
Alec Lee
Ranch Hand
Posts: 569
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Whenever someone login, I will search thru a hashmap of sessions in ServletContext to check for existing username. My problem is what should we do if there is really an existing session with the same username. There are only 2 possibilities: (1) prevent the second user from logging in (2) do something on the first session (probably session.invalidate()).

A user may close the browser without doing a logout. In this case, the session will hang around until it timeout itself. If we use strategy (1), a user who mistakenly closed a window is barred from accessing the system unnecessarily until his session timeout.

Now, if we use strategy (2), the current user may be right in the middle of calling session.getAttribute() and may encounter IllegalStateException suddenly with no idea of what is going on.

So, what should be the ideal strategy for handling duplicated login?
 
Jaime M. Tovar
Ranch Hand
Posts: 133
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
i have worked in financial services and the common option is to only allow one session, if there is a second try to establish a session you will show a message stating that only one session is allowed. To minimize the cons of this option you need to give a little time to live of idle session lets say 5 to 10 minutes. Also you can add javascript to your pages so if a window is closed you invalidate the session instantly even if there wasn�t a logout event
 
Adeel Ansari
Ranch Hand
Posts: 2874
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
In second option, you can also dump all the properties of first session in second one, then invalidate the first one.
 
Sandip Chaudhuri
Greenhorn
Posts: 26
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
i prefer the second method.
Users hsould be on two comps simultaneously :lol:
 
Adeel Ansari
Ranch Hand
Posts: 2874
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Sandip Chaudhuri:
i prefer the second method.
Users hsould be on two comps simultaneously :lol:


Comps?
Ok. It is Computers.

Please avoid using words like "u r", "bcoz", "cuz", and "comps". It makes your posts harder to read, especially for those whose native language is not English. Use real words. Thanks!
 
Alec Lee
Ranch Hand
Posts: 569
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Also you can add javascript to your pages so if a window is closed you invalidate the session instantly even if there wasn�t a logout event

Still this cannot cover the case where the user machine crashes. It seems that the user must have to wait for timeout and hence we cannot specify a long one.

My idea is to first disallow the second login while also reduce the timeout period of the existing session (session.setMaxInactiveInterval()) to a very small number like 5 seconds. Now, this makes "orphaned" session timeouts quickly while running user not get interrupted abruptly. I further add a Filter to restore the inactive period to normal value if the current user continue with normal requests. What I try to achieve is not to interfer with existing user session while isolate the "orphaned" sessions.

Any comment on my approach?
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 65524
105
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
My idea is to first disallow the second login while also reduce the timeout period of the existing session (session.setMaxInactiveInterval()) to a very small number like 5 seconds.


Do you really think it's a good idea to force the users to react within 5 seconds between actions in order to avoid being logged out?
 
Jignesh Patel
Ranch Hand
Posts: 626
Mac
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I further add a Filter to restore the inactive period to normal value if the current user continue with normal requests.


I don't understand this clearly, but if it is per request base, then it is a big over head for your application.
 
Alec Lee
Ranch Hand
Posts: 569
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
This not a perfect solution. Just my preliminary idea of how to solve the problems I listed in my original post.

If a user's machine crashes, his session will hang around in the server. When he reboot, he'll have to wait until his "orphaned" session get timeout. This isn't a desirable behaviour and I don't want this issue dictate the global timeout period for all the sessions. It seems that the only possiblity is to give this "orphaned" session a short timeout period so that the user can relogin quickly.

The major issue is how to tell the difference between an "orphaned" session and one that is really active. For this, I cannot think of a better solution.
 
Adeel Ansari
Ranch Hand
Posts: 2874
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
What you say about my idea?
 
Jignesh Patel
Ranch Hand
Posts: 626
Mac
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
It seems that the only possiblity is to give this "orphaned" session a short timeout period so that the user can relogin quickly


This is not a good solution when you implement in reality.
The good solution is invalidate first session and let user relogin with new session and before invalidating first session dump all the values from first session to new session.
 
Adeel Ansari
Ranch Hand
Posts: 2874
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Jignesh Patel:
This is not a good solution when you implement in reality.
The good solution is invalidate first session and let user relogin with new session and before invalidating first session dump all the values from first session to new session.


Ditto already suggested.
Alec, now you have 2 votes for this solution.

Cheers.
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!