Prevent multiple concurrent logins from same user in clustered env

Hi,

I have a challenge to prevent users from concurrently logging into a WL 8.1 web application using the same user account. My idea was to maintain a collection of user ids and session objects. Initially if a user logs in successfully their user id is stored with their session in this collection. If another user (using same user id) logs in then the new session will be stored against the user id and the old one invalidated - thus kicking the first user out.

However, the weblogic setup i will need to deploy it to will be clustered? I thought about creating a singleton manager class but my understanding is that this singleton cannot be maintained across the servers in the cluster.

I would appreciate any comments / help on this.

Thanks in advance

Hi,

When you deploy this application, a session will be created. Even though the application is deployed on a cluster, only one session will be created and this session's "creation" information is updated on all other managed servers. I would say that this would work.

Please let me know if I am not clear with the problem.

Regards
Prashant Bhogvan

I'm not clear on your response. Say I have 4 servers in the cluster. A user using the service logs into the application and creates a session. Server A deals with the login and creates the session and puts this into a collection with the user id.

Subsequently another user tries logging on with the same account details but uses server B. The method i have described to prevent the dual login, should accomplish this through looking up the userid in the collection and invalidating any sessions for this user id if they already exist.

How do I make only a single session managmenet collection available to all clustered servers so that it can be used to lookup existing sessions when users login?

Did you thought about application state caching (static variable)? You can check this to see if user has already logged on. However do remember application caching will not work on clustered environment. You may have to take look on how to keep the cache in the cluster in sync use JMS.

Simple way will be to update the state in the db and check this before authenticating the user.

As mentioned above, this can be implemented best using DB persistence. When a user logs in, update some flag in the DB against that user. When another login is attempted with the same username, you can check against this flag before proceeding.

Appu.

I aslo recommend DB option.

Thanks very much for the responses so far.

I understand your responses and the preference for the DB option. I can see how this would prevent a second attempt to login using the same user id. However using this approach our challenge is that the user who has successfully logged on and using the application could close their browser at any time. If they do not have their browser set to allow javascript then we will not capture this event. The db record for the user will still have a flag against it showing that a user is logged on preventing any further attempts to logon. We could of course implement a timeout on the flag to unset it after x minutes but it still means until the flag is released the user will not be able to log back in.

An alternative approach which would circumvent this would be to allow the second user using the same id to log in successfully but at the same time kick the first user out. However with the db approach which you've suggested the flag is only tested during authentication. Therefore when the second user logs in I can't see a way to implement this so that the first user (who is already authenticated and using the application)is kicked out (effectively invalidating the session).

Can anyone provide any further assistance on this? Much appreciated.

Hi pete,
One suggestion I can give is to compare the timestamps from the database.

I can't see how that would help in this situation. Please can you expand on your reply.

Pete, all you have to do is have a session listener event and when session expires you can update the DB flag back. However the reall issue is let's assume you set the session timeout to be 10 minutes and if user closes the browser then for next 10 minutes the same user can't log back. This is real issue. Even I am not sure Timestamp will be of real help.
[ May 31, 2006: Message edited by: Purushothaman Thambu ]

Exactly - this is the reason why I am trying to use an alternative approach. For the solution I am designing - a high volume application - having the user unable to access the system until the session has expired (20 mins in our case) is not acceptable.

This is why i have looked at alternatives to use the 'second user kicks out first' approach. If the first user closes their browser and then immediately opens a new one and logs back in they will gain access without have to wait for the session to time out.

I've received some further help which may lead to a solution. Each node within a cluster maintains its own map of user ids and sessions, but also each node subscribes to a JMS topic. When a login occurs the node will check its map for the user id and invalidate any sessions that already exist for that user id. The node was also publish a message to the JMS topic so other nodes in the cluster receive this notification and do the same.

From business point of view I don't think it's good option to let second user session kick out first user session. From usability and maintenance it will cause friction. How do you handle if the first session started some long running task. You can effectively inactivate the first session but what about the task initiated by first user?.

I believe you want something like "stateful" http to you know when user closes the browser so that you don't block the second attempt if it comes before first session expired on the server. I guess it will be better to think about AJAX (keep updating the server very few seconds asynchronously) but not a clean way!...

Please can some one tell me how to use session listener event or ajax to prevent multiple concurrent logins for same user in clustered environment.

aparna dingankar wrote:Please can some one tell me how to use session listener event or ajax to prevent multiple concurrent logins for same user in clustered environment.

This thread is 3 years old. You are likely to get better responses if you post in the right forum on your own thread. This problem is not specific to weblogic so why not try one of the other forums to handle your question ?

Please provide more details about your architecture. That will allow more people to understand the question and reply.

[EDIT]

Sigh ! Just realized you already started another thread

https://coderanch.com/t/455019/BEA-Weblogic/prevent-multiple-login-users-logging