Preventing multiple concurrent use of user details

When a user logs into a webapp, I tend to store a Bean representing the user in the user session. If that bean is not present in the session on any request, the user is returned to the login page to re-authenticate.

For any given userid at any given moment, I've been asked to make the application prevent the userid from being used concurrently. In other words, to prevent "joe bloggs" from being logged on at two or more terminals at once.

The problem is, I don't see how I can reliably do this. As far as I know Servlets 2.3 doesn't provide a means by which to examine other sessions, so I can't check that way. I could in theory record details in the database, but then there is the issue of reliably removing it when the session expires or the user logs out.

I don't have access to a full J2EE server - it only supports Servlets and JSP, so I can't use anything from EJB.

Any ideas?

Originally posted by Daniel Dalton:

The problem is, I don't see how I can reliably do this.

"Reliably" is the keyword here and you're right.
This topic has been discussed here several times and I've yet to see a solution that was reliable.

HTTP is a stateless protocol and doesn't behave the same way that statefull terminal sessions do.

Connections hiccup.
Browsers crash.
They also behave differently regarding session cookies depending on how you open them.

Thanks Ben,

I thought I'd better check in case I was missing something glaringly obvious!

Again, you can find long discussions on the issue if you search this (and the JSP forum).