• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Ron McLeod
  • Rob Spoor
  • Tim Cooke
  • Junilu Lacar
Sheriffs:
  • Henry Wong
  • Liutauras Vilda
  • Jeanne Boyarsky
Saloon Keepers:
  • Jesse Silverman
  • Tim Holloway
  • Stephan van Hulst
  • Tim Moores
  • Carey Brown
Bartenders:
  • Al Hobbs
  • Mikalai Zaikin
  • Piet Souris

Preventing multiple concurrent use of user details

 
Ranch Hand
Posts: 146
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
When a user logs into a webapp, I tend to store a Bean representing the user in the user session. If that bean is not present in the session on any request, the user is returned to the login page to re-authenticate.

For any given userid at any given moment, I've been asked to make the application prevent the userid from being used concurrently. In other words, to prevent "joe bloggs" from being logged on at two or more terminals at once.

The problem is, I don't see how I can reliably do this. As far as I know Servlets 2.3 doesn't provide a means by which to examine other sessions, so I can't check that way. I could in theory record details in the database, but then there is the issue of reliably removing it when the session expires or the user logs out.

I don't have access to a full J2EE server - it only supports Servlets and JSP, so I can't use anything from EJB.

Any ideas?
 
Sheriff
Posts: 13411
Firefox Browser VI Editor Redhat
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Daniel Dalton:

The problem is, I don't see how I can reliably do this.



"Reliably" is the keyword here and you're right.
This topic has been discussed here several times and I've yet to see a solution that was reliable.

HTTP is a stateless protocol and doesn't behave the same way that statefull terminal sessions do.

Connections hiccup.
Browsers crash.
They also behave differently regarding session cookies depending on how you open them.
 
Daniel Dalton
Ranch Hand
Posts: 146
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks Ben,

I thought I'd better check in case I was missing something glaringly obvious!
 
Ben Souther
Sheriff
Posts: 13411
Firefox Browser VI Editor Redhat
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Again, you can find long discussions on the issue if you search this (and the JSP forum).
 
You showed up just in time for the waffles! And this tiny ad:
Building a Better World in your Backyard by Paul Wheaton and Shawn Klassen-Koop
https://coderanch.com/wiki/718759/books/Building-World-Backyard-Paul-Wheaton
reply
    Bookmark Topic Watch Topic
  • New Topic