aspose file tools*
The moose likes JSP and the fly likes JSP Session and validation Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » JSP
Bookmark "JSP Session and validation" Watch "JSP Session and validation" New topic
Author

JSP Session and validation

samart mateo
Ranch Hand

Joined: Feb 06, 2006
Posts: 37
I have a problem on user validation. For security, the system would allow only 1 user under the same userID to logged in at one time. For this, I stored the user's status in the DB. The problem came when the user exits the system by clicking the browser's close button or the computer suddenl shuts down. The server would still had the user's status as online. So, when the same user would like to logged back in,the system would deny his entry.

my question is :

1. Let say a false user had logged in using my ID. And later i would logged in using my ID. How do i terminate the false user's authorization. I'm using JSP session for validation. How could I deny the false user's jsp session?

2. How to clear the log data in the DB when the system suddenly shuts down, so that the user's status would be declared as offline again.

I think the banking system would have the same security issue as mine. If anybody had experience the same problem, please help me. Thank you.
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 61766
    
  67

There is no reliable way -- as you have discovered in your other posted questions -- to know when the user has exited your site. You simply need to rely on the session timeout to tell you that a session has been inactive beyond the timeout limit.


[Asking smart questions] [Bear's FrontMan] [About Bear] [Books by Bear]
Eddy Lee Sin Ti
Ranch Hand

Joined: Oct 06, 2005
Posts: 135
There are a few online banking system that i used implements the following:

1. use JavaScript in browser to logoff the user when the browser close down. (body.onunload)

2. implements a HttpSessionListener to clear user login status

If you worry about the subsequent login being blocked by the first one, you can provide a overriding screen for the user to provide password to "kick off" previous logon.


SCJP, SCWCD, SCJWS, IBM 700,IBM 701, IBM 704, IBM 705, CA Clarity Technical<br /> <br /><a href="http://eddyleesinti.blogspot.com" target="_blank" rel="nofollow">http://eddyleesinti.blogspot.com</a>
Adeel Ansari
Ranch Hand

Joined: Aug 15, 2004
Posts: 2874
Originally posted by Eddy Lee Sin Ti:
1. use JavaScript in browser to logoff the user when the browser close down. (body.onunload)


It would definitely work in a happy scenerio. But as Bear already said, "there is no reliable way to do that". Its worthy to implement this one too, I must say.
Pradeep bhatt
Ranch Hand

Joined: Feb 27, 2002
Posts: 8919

Wouldn't it be possible to store to currently logged in user info in memory rather than db? When session time outs remove the user entry even if the user failed to log out. I am assuming that you are not working in a non clustered environment.


Groovy
samart mateo
Ranch Hand

Joined: Feb 06, 2006
Posts: 37
Originally posted by Pradip Bhat:
Wouldn't it be possible to store to currently logged in user info in memory rather than db? When session time outs remove the user entry even if the user failed to log out. I am assuming that you are not working in a non clustered environment.


I need to lock some 'editing capabilities' of certain pages from other user if one user is currently using that page.

For example, a user is currently editing the statuses of manufacturing parts of a project. And another user open that page that holds the same project. The first user then saved his changes. And then, the second user saves his changes. The second saves would overwrite the first saves.

To avoid this, I stored the user log status in the db. So, if a user is currently accessing a certain page, the system would lock the page from other user. If there's a way in JSP that the server could detect different session from different workstations, please let me know how to solve this.

Thank you all for your replies. However I havent tried HTTPListener yet. Thank you very much.
Adeel Ansari
Ranch Hand

Joined: Aug 15, 2004
Posts: 2874
Originally posted by samart mateo:
I need to lock some 'editing capabilities' of certain pages from other user if one user is currently using that page.

For example, a user is currently editing the statuses of manufacturing parts of a project. And another user open that page that holds the same project. The first user then saved his changes. And then, the second user saves his changes. The second saves would overwrite the first saves.

To avoid this, I stored the user log status in the db. So, if a user is currently accessing a certain page, the system would lock the page from other user. If there's a way in JSP that the server could detect different session from different workstations, please let me know how to solve this.

Thank you all for your replies. However I havent tried HTTPListener yet. Thank you very much.


It sounds like write lock to me. Most of the databases do it for you.

If you want to stop the second user to view it as well then you can try a read lock then. We normally do it with select..for update query in Oracle. DB2 and SQLServer also provide read lock queries.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: JSP Session and validation