This week's giveaway is in the Android forum.
We're giving away four copies of Android Security Essentials Live Lessons and have Godfrey Nolan on-line!
See this thread for details.
The moose likes EJB and other Java EE Technologies and the fly likes login mechanism using JAVA Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Java » EJB and other Java EE Technologies
Bookmark "login mechanism using JAVA" Watch "login mechanism using JAVA" New topic
Author

login mechanism using JAVA

himanshu patel
Ranch Hand

Joined: Feb 03, 2003
Posts: 205
Hi All,
I have a problem related to the login mechanism.
Currently, I am working on one j2ee application, which uses login mechanism to allow user
gain access of application. Now I need to do the following.
If user logs in with his/her own username/password from one PC, then
(1) Application should not allow logging in with same username/password from other PC.
(2) Application should not allow logging in with same username/password from same PC using
another browser window.
(3) Application should able to handle unexpected log out like shutting down PC, crashing browser window, accident killing of browser window etc.
I am using JSP, servlet, EJB with Oracle 9IAS as application server on appache web server.
Using oracle 8I database.
Can anyone suggest me what could be the possible solutions to implement this efficiently.
Any suggestion is highly appreciated.
Thanks in advance.
Himanshu


If you want to become a rich, do not work for others but make others to work for you.
kamal kumar
Greenhorn

Joined: Jun 06, 2003
Posts: 1
I dont think there is some straight forward way for this. These are my thoughts.
Assuming that, you are using a central servlet, where every request goes to the servlet and distributes from there.
(1) Application should not allow logging in with same username/password from other PC.
(Have a singleton class or instance hashmap to store the active user information to know who logged-in and logged out at a moment, for this you can use sessionBindingListener which fires an event whenever a user logged in, loogedout. with this u can restrict the user not to login second time).
(2) Application should not allow logging in with same username/password from same PC using
another browser window.
(3) Application should able to handle unexpected log out like shutting down PC, crashing browser window, accident killing of browser window etc.
(The extension of the above answer. This is little difficult to achieve, because there is no control on closing the borwser. THe session will expire only after certain amout of time. so u cant control that. My sugession is that, maintain a window name for the result page(or login page). pass the result to that window. so, even if a person trying to login from two browsers, his response will go to only one browser..)
But....!!! user can still use the two browsers. After he logs-in and press control+N, the same session will be shared, and he can operate on these two windows. How can you control that?? he need not even log-in second time to use another browser.
Stan James
(instanceof Sidekick)
Ranch Hand

Joined: Jan 29, 2003
Posts: 8791
To prevent one user on multiple PCs, you need some kind of state (in memory, database, etc) that tracks who is logged on where by IP addresses or whatever applies to your client.
If you prevent multiple logons be sure to allow some mechanism for clearing that state. It's easy to get things messed up so the state thinks someone is logged on when they're not so they cannot log on again.
Detecting close browser is tough. Heavy weight solution: Run an applet with a socket connection to server, have the server ping the applet every so often to see if it's still alive. I've seen this done in work routing applications that have to know when the client is available.
Kamal mentioned Ctrl-N (file/new/window in IE) to get a new browser window. In the past, we have had to distinguish between this which shares cookies and session stuff, and starting a new instance of IE which does not. On a couple projects we allowed multiple login from same machine and the second login invalidated the first session so the first window no longer worked. Not pretty.


A good question is never answered. It is not a bolt to be tightened into place but a seed to be planted and to bear more seed toward the hope of greening the landscape of the idea. John Ciardi
Rohit Ahuja
Ranch Hand

Joined: Oct 04, 2001
Posts: 121
Hi dudes,
correct me if i am wrong.
This is the way i would look at the solution. My solution might be comparitively slower, if u get a faster alternative do let me know as well.
1.No 2 browsers should enable same person logging in.
I would have a flag column in the database in my login and password table. When someones inside, i say the flag is 1/True... whatever. So everytime someone logs in i know by the status of this flag.
As far as Ctrl N stuff is concerned, thats a tricky one, wud still need to think on it.
And for the accidental/deliberate shutting down/browser closing is concerned,
u could reset the above mentioned flag once the default time(time for which if browser is inactive u log off a person) is over u need to log him off automatically.


Face Off.
Stan James
(instanceof Sidekick)
Ranch Hand

Joined: Jan 29, 2003
Posts: 8791
I'd probably try to keep the user's location (IP address) maybe in a session table rather than a flag in the user table. And I'd let them log in twice from the same location.
This would let them log in from two IE instances which is not real good. In other apps I've worked on, doing so established a new session and wiped out the old one, making the old IE window "no longer logged in." Not pretty, but we lived with it.
But if we don't allow them to log in again and they accidentally close a browser they are locked out for the time-out period. My customers report the dollar value of every minute of downtime for every user and I don't want to be on that list because they are locked out!
Stan James
(instanceof Sidekick)
Ranch Hand

Joined: Jan 29, 2003
Posts: 8791
Forgot to ask - Do you have an option to BUY a solution? Look at SiteMinder by Netegrity. Buy vs build saves coding time and long term ownership issues, plus products like SiteMinder give you good single signon - one login for a whole collection of cooperating applications. That's hard to build from scratch!
http://www.netegrity.com/products/products.cfm?page=SMoverview
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: login mechanism using JAVA
 
Similar Threads
Calling WS without having entry in User registry
Login mechanism using JAVA
Developing Web Application without IE toolbars
Problem with embeded username and password in open() method of XMLHTTP object
Login mechanism using java