• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Preventing Multiple Login with same login credentials

 
Ranch Hand
Posts: 41
Netscape Safari Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I am developing a web application that needs to prevent multiple login using the same user name and password concurrently.

If it happens on the same machine then we need to do something with the user session, but it should also prevent if they are login on different machines using the same user name and password.

What can be the best approach :-

1) should i store the user session,credentials,and IPAddress of the machine in the DB.

2) should we use the session tracking mechanism in the application itself.If so what is the best approach?


Also , We have to keep following things in mind:

1) If user close the browser without logout.

2) If session times out.


Hope it clears the question.
 
Rancher
Posts: 1044
6
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
A DB is a good place to maintain this information, and I suggest to use it on the top of the session mechanism provided by the container.



 
Ranch Hand
Posts: 152
Eclipse IDE Chrome Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Manish,

I suggest you keep a flag in your user maintenance table, with default value as 'N'. (i.e. not logged in) and once you login successfully into the application update the flag as logged in (some flagging value like 'Y') and every time you try to login to the application for a particular user just check that the value of the flag is 'N' if it is 'Y' redirect to login page and failed the login process with appropriate message for the user. This will work irrespective of machine the user has logged i.e. it will ensure that only once session exists for a user.

Now in order to handle the other scenarios of handling if the user close the browser without logout and if session times out; Then in this case you need to implement a SessionListener and that should be called when the user closes the browser window upon which it will update the flag to 'N'.

Hope this helps...
 
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Any approach that relies on the web app getting notified somehow if the browser (or browser window) gets closed is likely to be unreliable. In that case the user will have to wait until the session expires.
 
Ranch Hand
Posts: 33
Eclipse IDE Tomcat Server Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Pravin Shirke wrote:Hi Manish,

I suggest you keep a flag in your user maintenance table, with default value as 'N'. (i.e. not logged in) and once you login successfully into the application update the flag as logged in (some flagging value like 'Y') and every time you try to login to the application for a particular user just check that the value of the flag is 'N' if it is 'Y' redirect to login page and failed the login process with appropriate message for the user. This will work irrespective of machine the user has logged i.e. it will ensure that only once session exists for a user.

Hope this helps...



Hi... i would really like to know how the flag can be set to 'N'...if the user closes the browser and does not log out properly???
 
Greenhorn
Posts: 5
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Set the session ID in the SOAP header so that the API can validate subsequent requests for this session.
Specify the server URL as the target for subsequent service requests. You must change to the server URL, the login server only supports login calls
 
Sourabh Bawage
Ranch Hand
Posts: 33
Eclipse IDE Tomcat Server Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Amreen Bhatti wrote:Set the session ID in the SOAP header so that the API can validate subsequent requests for this session.
Specify the server URL as the target for subsequent service requests. You must change to the server URL, the login server only supports login calls



an example would be great...
 
Amreen Bhatti
Greenhorn
Posts: 5
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Check here http://www.nullskull.com/articles/20030418.asp hope it helps you.
 
Ulf Dittmer
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Amreen Bhatti wrote:Set the session ID in the SOAP header


What does SOAP have to do with this problem?
 
Amreen Bhatti
Greenhorn
Posts: 5
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Is this a typo, 'sessionid', not 'sessionId' ? session*I*d.

According to the above example, I think this should work.

def on_simple_outbound
if @sessionid
{ XSD::QName.new("urn:enterprise.soap.sforce.com",
"sessionId") => @sessionid }
end
end

But the only WSDL I know is partner.wsdl, which does not define
'urn:enterprise.soap.sforce.com'. I can be wrong...

Regards,
// NaHi
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (Cygwin)

iD8DBQFCf4+Bf6b33ts2dPkRAnWFAJwPNbKTyRy1meT7VgjZvYDI59CbiwCglNAY
YYplD+kQEQ+flRlfO7UldXM=
=V//d
-----END PGP SIGNATURE-----
 
Pravin Shirke
Ranch Hand
Posts: 152
Eclipse IDE Chrome Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Sourabh,

For implementation of resetting the flag to 'N' once the user closes the browser window, you need to invoke javascript function like:
Assuming, you have set the session id in context, then the listener would do the rest as its SessionDestroyed() method would be called; wherein you need to invoke DB call for the particular user to reset the flag to 'N'.
 
Sourabh Bawage
Ranch Hand
Posts: 33
Eclipse IDE Tomcat Server Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Pravin Shirke wrote:Hi Sourabh,

For implementation of resetting the flag to 'N' once the user closes the browser window, you need to invoke javascript function like:
Assuming, you have set the session id in context, then the listener would do the rest as its SessionDestroyed() method would be called; wherein you need to invoke DB call for the particular user to reset the flag to 'N'.



ya but the process would fail if the scripts are turned off.....
 
Pravin Shirke
Ranch Hand
Posts: 152
Eclipse IDE Chrome Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

ya but the process would fail if the scripts are turned off.....


Yes agreed. but i don't think there would be any practical scenario wherein scripts are disabled in this dynamic and user interaction driven applications world...
 
reply
    Bookmark Topic Watch Topic
  • New Topic