This week's giveaway is in the Android forum.
We're giving away four copies of Android Security Essentials Live Lessons and have Godfrey Nolan on-line!
See this thread for details.
The moose likes Servlets and the fly likes How to prevent duplicate logins Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Java » Servlets
Bookmark "How to prevent duplicate logins" Watch "How to prevent duplicate logins" New topic
Author

How to prevent duplicate logins

Sajee Joseph
Ranch Hand

Joined: Jan 17, 2001
Posts: 200
Hi ,
I have some servlets deployed on Tomcat server.
My application requires a login id and password.
Thus i have a login screen. How do i prevent 2 people from logging using the same login id and password. I thought i will have a status field in the database to show if the person is logged in. Thus if someone else logins using the same id and password , i will not let him login. And i will provide a logout button, so that a sure can logout, which will update the status field in the database. But this has a problem. what if the user juz quits the browser, without clicking the Logout button.
So what do i do?? How do i really tackle this?? What is the best approach???
Regards
Saj
Deepak Shah
Ranch Hand

Joined: Nov 29, 2000
Posts: 97
I think,
you can have a separate daemon thread running on server, which can track the time since a person is logged in. After a pre-defined time you can mark the person logged out.
But this has a flaw, if you set the time as say 6 mins, then a valid user, who is working, will automatically logged out after each 6 mins.
To cope up with this, can have one more additional field in database, say last activity time. The daemon thread should start counting from this time. i.e. if a user is INACTIVE for specified time he can be logged out.
This imposes overhead, but if your requirements are so, you may have to go for such solution.
Regards,
Deeapk
Manohar Karamballi
Ranch Hand

Joined: Jul 17, 2001
Posts: 227
Use session timeout concept..
In Detail..
1)Set session timeout for ur application.
2)Whenever user logged in store his userId and password in Active user list..(May be in Servlet Context)
3)When some different user logged in check user name in Active list. If present already deny that (2 nd)user to login
4)now when user clicked logout remove corresponding entries from table.
5) id user clicked 'X' in browser window and exited, After session time out period delete his entries from table.
6)Even if user is working for t preiod (t>session time out time)session cannot be timed out as user sending one or other request..
Hope this helps.
Rgds
Manohar
Gabriel Cane
Ranch Hand

Joined: Mar 27, 2001
Posts: 39
Originally posted by Manohar Karamballi:
Use session timeout concept..
5) id user clicked 'X' in browser window and exited, After session time out period delete his entries from table.

I know how to set the session timeout in the Session object. What I don't know how to do is write a segment of code that will determine whether or not the session has timed out. To my knowledge, there is no method in HttpSession that indicates the time that the user originall logged in. As far as I know, I only have access to the length of the session timeout, and the current time.
Is there a way to programmatically determine whether or not the user has timed out?


Sun Certified Programmer for the Java 2 Platform
Mike Curwen
Ranch Hand

Joined: Feb 20, 2001
Posts: 3695

Yup.

Check out HttpSessionBindingListener
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: How to prevent duplicate logins
 
Similar Threads
Update database for logout when signout is not done properly
Invalidate session
JSP login/logout session problem
How to ristrict multiple login's at the same time using same username?
pressing back button after logout shows loggedin contents