wood burning stoves 2.0*
The moose likes Servlets and the fly likes How to restrict duplicate login? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Servlets
Bookmark "How to restrict duplicate login?" Watch "How to restrict duplicate login?" New topic
Author

How to restrict duplicate login?

sjhyam m
Greenhorn

Joined: Apr 26, 2001
Posts: 7
hi!
Insite we have to restrict duplicate logins of the same user. We are developing our site using jsp/servlets on iPlanet Appserver..
I am thinking for a solution like this: I will maintain a status in the user table as: ON/OFF to indicate whether user loggedin or logout. If the status is ON, and again the user tries to login, we will send a msg:" Duplicate Login. Logout and try..."; When the user logs out, status is set to OFF.
Here, the real problem comes when the user does not logout from the site and left the browser idle, or some network failure may happen...In this also, i will bind a class to the user session, and when the session times out, this class will set the status to OFF.
I have implemented the same on JWS, it is working fine...but i am getting a problem on iPlanet...any ideas....or any new solution to this problem....
bye!
sj
Frank Carver
Sheriff

Joined: Jan 07, 1999
Posts: 6920
"sjhyam m",
The Java Ranch has thousands of visitors every week, many with surprisingly similar names. To avoid confusion we have a naming convention, described at http://www.javaranch.com/name.jsp . We require names to have at least two words, separated by a space, and strongly recommend that you use your full real name. Posts which contravene the naming convention are not eligible to win books! Please log in with a new name which meets the requirements.

Thanks.


Read about me at frankcarver.me ~ Raspberry Alpha Omega ~ Frank's Punchbarrel Blog
Dustin Marx
Ranch Hand

Joined: Mar 06, 2001
Posts: 40
I would be interested in any alternate suggestions people might have for handling this issue as well since I have run into it before and don't really feel comfortable with any of the solutions used in the past.
Desai Sandeep
Ranch Hand

Joined: Apr 02, 2001
Posts: 1157
Hi,
I have a LoginManager bean, which keeps track of the users who have logged in.This bean would be at the application scope in my JSP.
The relevant code for LoginManager is here :

Then in your JSP you could provide a check for Duplicate Login at the very beginning of the page :

Hope this helps.
Regards,


------------------
Sandeep Desai
vgdesai@bom3.vsnl.net.in

  1. Sun Certified Java Programmer Scored 93 per cent
  2. Oracle JDeveloper Rel. 3.0 - Develop Database Applications with Java Scored 56 out of 59
  3. IBM Enterprise Connectivity with J2EE Scored 72 per cent
  4. Enterprise Development on the Oracle Internet Platform Scored 44 out of 56


<b>Sandeep</b> <br /> <br /><b>Sun Certified Programmer for Java 2 Platform</b><br /> <br /><b>Oracle Certified Solution Developer - JDeveloper</b><br /><b>-- Oracle JDeveloper Rel. 3.0 - Develop Database Applications with Java </b><br /><b>-- Object-Oriented Analysis and Design with UML</b><br /> <br /><b>Oracle Certified Enterprise Developer - Oracle Internet Platform</b><br /><b>-- Enterprise Connectivity with J2EE </b><br /><b>-- Enterprise Development on the Oracle Internet Platform </b>
Dustin Marx
Ranch Hand

Joined: Mar 06, 2001
Posts: 40
Thanks for the examples. I'll definitely look into that approach. Although, as we have discussed on another thread, I'll probably put the Java syntax in the JSP in a custom tag that can be included at the top of each page. Thanks again.
Desai Sandeep
Ranch Hand

Joined: Apr 02, 2001
Posts: 1157
Hi Dustin,
Let me know, if you come across any other approach.When I did this, I used a Hashtable to store the users who had logged in.Probably you could do away with that and use the application implicit object setAttribute(), which is nothing but a Hashtable.
Hope this helps.
Regards,

------------------
Sandeep Desai
vgdesai@bom3.vsnl.net.in

  1. Sun Certified Java Programmer Scored 93 per cent
  2. Oracle JDeveloper Rel. 3.0 - Develop Database Applications with Java Scored 56 out of 59
  3. IBM Enterprise Connectivity with J2EE Scored 72 per cent
  4. Enterprise Development on the Oracle Internet Platform Scored 44 out of 56
Bhupinder Dhillon
Ranch Hand

Joined: Oct 12, 2000
Posts: 124
Originally posted by Desai Sandeep:
Hi,
I have a LoginManager bean, which keeps track of the users who have logged in.This bean would be at the application scope in my JSP.

Sandeep, are you not storing user_ids and passwords somewhere in the ldap directory or a database? If you are, then why do you have to create a login manager to keep track of the users? That's the job of a session to track a user.
Desai Sandeep
Ranch Hand

Joined: Apr 02, 2001
Posts: 1157
Hi Bhupinder,
That's correct.I can use the session functionality to check/validate the users who are active/logged in.That is precisely what I have suggested in my earlier post

[..]When I did this, I used a Hashtable to store the users who had logged in.Probably you could do away with that and use the application implicit object setAttribute(), which is nothing but a Hashtable.

Since, the LoginManager Bean keeps track of the user who are active, we might as well use the approach of the session instead.
That would probably be one more way of checking Duplicate Login.
Let us know any further ways by which this could be achieved.
Regards,


------------------
Sandeep Desai
vgdesai@bom3.vsnl.net.in

  1. Sun Certified Java Programmer Scored 93 per cent
  2. Oracle JDeveloper Rel. 3.0 - Develop Database Applications with Java Scored 56 out of 59
  3. IBM Enterprise Connectivity with J2EE Scored 72 per cent
  4. Enterprise Development on the Oracle Internet Platform Scored 44 out of 56
sjhyam m
Greenhorn

Joined: Apr 26, 2001
Posts: 7
hi!
I have a solution for my self for the first part of the question..what about this:*********
Here, the real problem comes when the user does not logout from the site and left the browser idle, or some network failure may happen...In this also, i will bind a class to the user session, and when the session times out, this class will set the status to OFF.
any comments on this.....
Desai Sandeep
Ranch Hand

Joined: Apr 02, 2001
Posts: 1157
Hi Sjhyam,
You would need to refer to your webserver documentation as to how the server supports timeouts.Most probably, you can set the header information.You can also code, if your web server doesnot take care of this aspect.
Hope this helps
Regards,
------------------
Sandeep Desai
vgdesai@bom3.vsnl.net.in

  1. Sun Certified Java Programmer Scored 93 per cent
  2. Oracle JDeveloper Rel. 3.0 - Develop Database Applications with Java Scored 56 out of 59
  3. IBM Enterprise Connectivity with J2EE Scored 72 per cent
  4. Enterprise Development on the Oracle Internet Platform Scored 44 out of 56
Peter den Haan
author
Ranch Hand

Joined: Apr 20, 2000
Posts: 3252
Originally posted by sjhyam m:
Here, the real problem comes when the user does not logout from the site and left the browser idle, or some network failure may happen...In this also, i will bind a class to the user session, and when the session times out, this class will set the status to OFF.
any comments on this.....

Personally, I would regard these problems as fatal. If I were a user, and my browser would crash or my modem would hang up, and I would no longer be able to log into a site for half an hour: I would be pretty miffed.
You could try to reduce the scope of this problem. For instance, when you mark a user as "logged in", you could also note the client's browser version and IP address range (ServletRequest.getRemoteAddr() -- use only the first and maybe second number, not the entire IP address!). If a second login attempt matches this information, you allow it. This should cater for most browser and connection mishaps.
Or you use a different approach altogether -- instead of refusing the second login, you kick out the first login. One way to implement this is to store the session ID in a database or application-scoped session registry bean. You keep track of exactly one session ID per user. When a user logs in, you store the new session ID, overwriting any previous ID. Once in a while (e.g., every request) a session checks whether it is still the registered ID for the user; if not, the session is invalidated and the user redirected to a logout screen citing the reason.
- Peter
 
It is sorta covered in the JavaRanch Style Guide.
 
subject: How to restrict duplicate login?
 
Similar Threads
Update database for logout when signout is not done properly
login and status error 400
Browser Closing without signout from site
Problem with SessionId
How to get session object by giving Session Id to kill another session in Websphere