This week's book giveaway is in the Kotlin forum.
We're giving away four copies of Kotlin in Action and have Dmitry Jemerov & Svetlana Isakova on-line!
See this thread for details.
Win a copy of Kotlin in Action this week in the Kotlin forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic

Question related to application security  RSS feed

 
ganesh pol
Ranch Hand
Posts: 151
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
while accessing my net banking account
i observed one nice thing
once by mistake i close the net banking window without logout(i know this is not nice thing)

i tried to login again after somewhere around 2 min in that case my net banking application gives me message like your last logging is not properly terminated
and make me unable to access system.

i am not the hardcore client side developer but this thing increase my curiosity how to implement this logic in some simple application

can any one give me some kind of hint to solve this issue

how could it possible for my server side code that some one closed window without logout

[ September 29, 2007: Message edited by: ganesh pol ]
[ September 29, 2007: Message edited by: ganesh pol ]
 
Tarun Yadav
Ranch Hand
Posts: 134
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Well, first you need to understand that there is no way for the server to know what happened to the client. There is no event generated when the browser is closed or terminated or anything. Your server side code simply has no idea if the client is still there or not.

For your need, it can be done is a pretty simple way, actually. There may be better ways, but this is what I can come up with, right now.

* You keep a flag to indicate whether the user has logged out or not.
* When a user logs in, first you check the flag. If it is set, you'll know that the user didn't log out last time.
* If it isn't, then he's done everything alright.
* After checking, you set the flag to indicate that the user is logged in.
* When the user logs out, you reset the flag.

So, even more briefly:
* Check the flag on login
* Set the flag on login
* Reset the flag on logout

Where you store this is up to you, but I guess ordinarily you'd want to put it with the users data in a DB.

Anyone has any other suggestions?

EDIT: Just noticed you want to block login for sometime. You can change this logic a bit to include a timestamp for last login along with the flag. Along with the flag, compare the timestamp for however long you're supposed to lock out the user. If the flag is not set, then he obviously logged out so the timestamp need not be checked.
[ September 29, 2007: Message edited by: Tarun Yadav ]
 
Ben Souther
Sheriff
Posts: 13411
Firefox Browser Redhat VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by ganesh pol:

i observed one nice thing
...
i tried to login again after somewhere around 2 min in that case my net banking application gives me message like your last logging is not properly terminated
and make me unable to access system.


I don't see that as a nice thing.
To me that's an inconvenience.
If I'm working on something and my browser crashes before I'm done, I would want to be able to fire up a new browser instance and do what I set out to do. That the browser crashed, will mean that I'm already somewhat irritated because of what's going on with my local system. Seeing a message like that, at that point, would put in a really bad mood and insure that I'm not happy with that bank for the day.
What's nice about that?

I'm guessing this is a side effect of a 'feature' designed to keep more than one person from logging in with the same user name and password at the same time. When you tried to log in the second time, the application probably checked to see if there was already an active session with your user
name and refused access until it expired.
 
ganesh pol
Ranch Hand
Posts: 151
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks for both of your reply

some more questions comes in my mind

consider following use case

1] user logged in
my login controller or service object will use following business logic when user is authenticates
i]when username password provided by user matche with any record in my user table i will keep that record in HttpSession in some value object
ii]i am updating flag for user record that he/she logged in and updating his last logged in time

now consider following 2 scenarios
2.1]user is using my application and then he clicks logged out
i] in my logout service or controller i will update flag for user record that he has logged out
ii]i will terminates user's HttpSession object
here we get success as we expect

2.2]user started application and browser is idle for long time
i]session get terminated
imp note i observed one thing although my session is terminated HttpSession object is not null

is there is any way that when server terminates user's session how to update this user is logged out

i.e. is there is any way that when server wants to terminate user session my code will intercept and updates is logged out flag in database

[ October 01, 2007: Message edited by: ganesh pol ]
 
Ben Souther
Sheriff
Posts: 13411
Firefox Browser Redhat VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Before we can comment, you'd have to tell us what you're trying to achieve.
Are you looking to keep people out of the system until their past sessions have expired?
If so, why?
What would this accomplish; other than annoying your users?
 
Ben Souther
Sheriff
Posts: 13411
Firefox Browser Redhat VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Have you looked at sessionListeners?
 
paritosh ranjan
Ranch Hand
Posts: 62
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You can use HttpSessionListener here.Any class that implements HttpSessionListener is notified when any new session is created or destroyed.It has two methods sessionCreated() and sessionDestroyed.
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!