how to reject multiple logins

hi all,

here is the situation.

in my application, ill login with my credentials. at the same time if i open another browser/browser in another system and try to login with same credentials, it should redirect to login page saying "user already logged in". what are the possible solutions to implement this...please suggest me..thanks in advance

Hi,

You can keep a flag in the database to signify the user is already authenticated.
And when the user tries to login again you can check it with this flag.

Hi,

If you don't want to use database just make one login filter which check before login and that filter contains one session map at Application context level.

when user login add user session or to that map or list.

So when you login again it check map or list contains user session or not.

remember one thing at logout time make use same filter with another condition and just update list or map and remove user session from the list or map.


That's way you can also get your way.....

You can keep a flag in the database to signify the user is already authenticated.
And when the user tries to login again you can check it with this flag.

The problem with this is that it locks out users that are in the habit of simply closing browser windows instead of explicitly clicking on the "logout" button. Even if you have a timer that automatically clears these flags every hour or so (or if the user session expires), you're still locking out the user for that time frame.

A better solution would be to check whether the user is logged in already, and invalidate the previous session.

But the important question is: Why do you want to prevent this? What's wrong with a user having two open sessions?

what if i close the browser without clicking logout, at that time i won't be able to remove my userid from session map.....then what should i do?

Hi,

You can configure session time out at web.xml. So that if some one direct close browser without click on sign out then after your define time at web.xml user will log out after some time.

Have a Session Listener when session gets invalidated/destroyed then remove the id from the application context.

Nishan Patel wrote:
You can configure session time out at web.xml. So that if some one direct close browser without click on sign out then after your define time at web.xml user will log out after some time.

inbetween time, he can login right?

Hi,

If session already available and he or she use same browser then no need to login again. Other wise if session destroy and finished by web xml time out then user has to login again.

Apart from using filters, you can consider a set in your servlet to store the usernames. This set must then be shared throughout the application. I did a similar thing with EJB.

For the session timeout, you can use the sessionDestroy method if the user did not logout.

Hi,

I think the best suitable way is depend upon your application.

If there are no many database transaction in your application then i think take one filed in database when user login update this field and check at login time.

And if you dont want database transaction then use filter or other solution you get.