• Post Reply Bookmark Topic Watch Topic
  • New Topic

invalidate a session by using session id

 
Satchidananda Mohanty
Ranch Hand
Posts: 78
Android Eclipse IDE Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi there,

I wanted to invalidate a session by using sessionid.

Scenario is like that
I want to login with one application through one userid and password. but multiple login is not allowed . I need to invalidate the other session to login again right now from now machine.

I can see the sessionid from database. My query is that can i invalidate that other machine session by using this databse sessionid value.


Thanks in advance,
zeet
 
Nauman Hasan
Ranch Hand
Posts: 34
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
If you store a map of userid to sessionid in the database then you could potentially read it from another machine (each time a user accesses your site) and invalidate the session the next time the user accesses the site.

There would be performance implications to this though in terms of additional database accesses.

~Nauman
 
Ravi Kiran Va
Ranch Hand
Posts: 2234
Eclipse IDE Firefox Browser Redhat
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Can anybody please tell me , how can this can be done .

Assume we got a sessionId say something : 12222tyyyy677777767789999

Knowing SessionId , how can we disable a Session .
 
William Brogden
Author and all-around good cowpoke
Rancher
Posts: 13078
6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The servlet API does not provide a direct way to do that - it was felt to be a security risk.

This gets discussed frequently, browse around or search the forum.

Bill
 
Ravi Kiran Va
Ranch Hand
Posts: 2234
Eclipse IDE Firefox Browser Redhat
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks William , i didn't found the answer to my question anyway . i dont know what keywords to use to search this in Google .



 
Jaikiran Pai
Sheriff
Posts: 10447
227
IntelliJ IDE Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Ravi Kiran Va wrote:Thanks William , i didn't found the answer to my question anyway . i dont know what keywords to use to search this in Google .


How about this?
 
Ravi Kiran Va
Ranch Hand
Posts: 2234
Eclipse IDE Firefox Browser Redhat
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Jai Kiran ,

The link you provided isn't working , please tell me.
 
Jaikiran Pai
Sheriff
Posts: 10447
227
IntelliJ IDE Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Ravi Kiran Va wrote:

The link you provided isn't working


What exactly is the problem, with that link? What error are you seeing?

 
Todd Buell
Greenhorn
Posts: 21
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Unfortunately this isn't possible from the context of another session, as was said.

The workaround we used was to apply a filter to all incoming requests that check to see if they are the currently active session. If not, they invalidate the session and redirect the user to a login page. If there is a match then the request continues on unimpeded and functions as normal.

example:

 
Ravi Kiran Va
Ranch Hand
Posts: 2234
Eclipse IDE Firefox Browser Redhat
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator


Hi Todd thanks for the code ,

The actual requirement is that , i need to log out the Person A , if Person B has used same UserId to login from another machine .

but how do you think that above this code will work , if two persons were logged from two seperate Machines ??
 
Todd Buell
Greenhorn
Posts: 21
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The way that it would work is that you have to have some sort of way to store the "current valid session ID". In our implementation we propagate it to the DB. This is by no means a complete solution but just a good starting point.

You have to somehow store what the current valid ID will be. For us, when the user logs in if no active session exists then that session becomes the valid ID. Then when a user logs in with the same credentials we prompt the user to allow them to either abandon their login or continue and invalidate the old session. (This is the requirement we were implementing a solution for.) Regardless of what machines they log in from, the container will generate the unique session, and thus a unique ID for the connection. You can connect to the system twice from the same machine using the same credentials and you'll create two sessions. (If you try to login in the same browser but two tabs, since in most browsers they share the same cookie set, your session will be the same for all tabs in the same browser instance.) So for this to work you need to somehow specify what the return value of "getCurrentSession(userId)" returns.

So, assuming that Person A logs in with credentials foo/bar and then Person B logs in using foo/bar, depending on how you decide who gets to continue, you just specify A or B's ID as the result for "getCurrentSession(userId)", be it retrieved from a database, collection stored and shared amongst all nodes hosting the app, etc. For the example let's say that when Person B logs in, they get to continue and Person A is "kicked out". So, when Person B invokes an action in you application the Filter based on the provided sample sees that the session IDs match and nothing happens. However, Person A's session ID is not the same as Person B's and thus not the currently allowed session. So when the filter executes for Person A it notices that the session IDs don't match and the assumption is that means the session with the different ID is invalid and their session should terminate. So, Person A's request causes their session to have "session.invalidate()" called, thus ending their session.

Basically, since you're unable to invalidate a session from another session the best you can do is ask invalid session to kill themselves. This can only be done when Person A invokes another action that hits the server.
 
Ravi Kiran Va
Ranch Hand
Posts: 2234
Eclipse IDE Firefox Browser Redhat
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks Todd for your time .
Assume that you got the Session Id which is stored in the Database using below code


what can we do with this , means my question by knowing SessionId is it possible to invalidate the session ???



Thanks .
 
Paul Sturrock
Bartender
Posts: 10336
Eclipse IDE Hibernate Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Re-read Todd's post, especially the last sentence:

Basically, since you're unable to invalidate a session from another session the best you can do is ask invalid session to kill themselves. This can only be done when Person A invokes another action that hits the server.


 
Ravi Kiran Va
Ranch Hand
Posts: 2234
Eclipse IDE Firefox Browser Redhat
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Assumed that Person A invokes another action that hits the server.
ask invalid session to kill themselves.


Thanks Paul , for making things more clearler but how can this be pratically implemented ??

 
Todd Buell
Greenhorn
Posts: 21
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
That is what the filter in the example code is doing. When a session interaction that doesn't have the session ID you wish to have continue it calls session.invalidate() on itself.

So actually the session that is invalidating is the session itself. Since this filter is mapped to be invoked by all actions all sessions will check themselves to be allowed to continue before invoking other actions. The only thing the new/valid session is doing is communicating to all other sessions that it is the only one allowed to continue. Basically the new/valid session is just requesting that all other sessions invalidate themselves. That's really all another session can do. As stated before, the ability to invalidate a session from another session has been removed for security concerns.
 
Ravi Kiran Va
Ranch Hand
Posts: 2234
Eclipse IDE Firefox Browser Redhat
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks , i got it how to implement this feature now .

Once again , thanks Todd , Paul , have a nice day .
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!