aspose file tools*
The moose likes Servlets and the fly likes How to block multiple logins of the same user Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Servlets
Bookmark "How to block multiple logins of the same user " Watch "How to block multiple logins of the same user " New topic
Author

How to block multiple logins of the same user

Surasak Leenapongpanit
Ranch Hand

Joined: May 10, 2002
Posts: 341
What is the best way to block or prevent someone from login more than once at the same time with the same user?
Jeroen Wenting
Ranch Hand

Joined: Oct 12, 2000
Posts: 5093
You'll have to maintain a list of logged in users and check that list before you attempt to verify the password.
Make sure you also have a job running which clears any logged in users whose sessions have timed out out of the list (SessionListener might be a good way to do this).


42
Jeanne Boyarsky
author & internet detective
Marshal

Joined: May 26, 2003
Posts: 30949
    
158

You have to be careful with this. What if I close the browser window and try to log in again? My original session still exists and has not been invalidated. Do you want the user to have to wait 30 minutes to have to get back in?
I would add an "are you sure" type mechanism if the user tries to log in again. If he really wants to log in, you could invalidate the first (inaccessible) session.


[Blog] [JavaRanch FAQ] [How To Ask Questions The Smart Way] [Book Promos]
Blogging on Certs: SCEA Part 1, Part 2 & 3, Core Spring 3, OCAJP, OCPJP beta, TOGAF part 1 and part 2
sunitha reghu
Ranch Hand

Joined: Dec 12, 2002
Posts: 937
Originally posted by Jeanne Boyarsky:
You have to be careful with this. What if I close the browser window and try to log in again? My original session still exists and has not been invalidated. Do you want the user to have to wait 30 minutes to have to get back in?.


If a user closes the browser and opens a new browser , then the user will be assigned a new session rt? so why the user want to wait 30 minutes?

I would add an "are you sure" type mechanism if the user tries to log in again. If he really wants to log in, you could invalidate the first (inaccessible) session

can u pls explain what is that "are you mechanism.
Ko Ko Naing
Ranch Hand

Joined: Jun 08, 2002
Posts: 3178
Originally posted by sunitha ragam:

can u pls explain what is that "are you mechanism.

That mechanism can make sure that the system will invalidate the user's previous session, create a session and associate with the user as a newly created session... We are not supposed to wait until the session time out to login again... Hope it helps....


Co-author of SCMAD Exam Guide, Author of JMADPlus
SCJP1.2, CCNA, SCWCD1.4, SCBCD1.3, SCMAD1.0, SCJA1.0, SCJP6.0
Prakash Dwivedi
Ranch Hand

Joined: Sep 28, 2002
Posts: 452
If a user closes the browser and opens a new browser , then the user will be assigned a new session rt? so why the user want to wait 30 minutes?
This is exactly what we dont want, we dont want that the same user can login multiple times. At Server session will be maintained for 30 min(or time specified in web.xml). So for next 30 min server will assume that this same user is trying to login again. In this situation there are two options
1. do nothing user will wait for 30 min before he can login
2. if user logs in again, than invalidate previous sessions.
The second option is preferred(It is used in Yahoo Messenger as well).


Prakash Dwivedi (SCJP2, SCWCD, SCBCD)
"Failure is not when you fall down, Its only when you don't get up again"
Pradeep bhatt
Ranch Hand

Joined: Feb 27, 2002
Posts: 8919

I would add an "are you sure" type mechanism if the user tries to log in again. If he really wants to log in, you could invalidate the first (inaccessible) session

Could you please tell me how to invalidate the previous user session? How do you get hold of the previous session id?
[ January 29, 2004: Message edited by: Pradeep Bhat ]

Groovy
Ko Ko Naing
Ranch Hand

Joined: Jun 08, 2002
Posts: 3178
Originally posted by Pradeep Bhat:

Could you please tell me how to invalidate the previous user session? How do you get hold of the previous session id?
[ January 29, 2004: Message edited by: Pradeep Bhat ]

Using external resources like database.. But I believe that it's not an efficient way.....
sing
Ranch Hand

Joined: Nov 29, 2001
Posts: 121
Another alternative is to store session state in business tier - using session bean..
Pradeep bhatt
Ranch Hand

Joined: Feb 27, 2002
Posts: 8919

Originally posted by Ko Ko Naing:

Using external resources like database.. But I believe that it's not an efficient way.....

You mean to say that storing session id in database? How will it work?
How do I get the session using a session id?
[ January 29, 2004: Message edited by: Pradeep Bhat ]
Varun Khanna
Ranch Hand

Joined: May 30, 2002
Posts: 1400
Originally posted by Pradeep Bhat:

Could you please tell me how to invalidate the previous user session? How do you get hold of the previous session id?
[ January 29, 2004: Message edited by: Pradeep Bhat ]

How about this ...
Moment the user logs-in and a session is created for the user, put the session object in the servlet context against the userId "String".
Now if the user tries to re-login, before creating the session try to see if there is any session object against that user-id "String" in servlet context, and if there is .. invalidate that session and create a new session.


- Varun
Varun Khanna
Ranch Hand

Joined: May 30, 2002
Posts: 1400
Originally posted by Steffy:
Another alternative is to store session state in business tier - using session bean..

So till now you got away with this??
Pradeep bhatt
Ranch Hand

Joined: Feb 27, 2002
Posts: 8919

Originally posted by Varun Khanna:

How about this ...
Moment the user logs-in and a session is created for the user, put the session object in the servlet context against the userId "String".
Now if the user tries to re-login, before creating the session try to see if there is any session object against that user-id "String" in servlet context, and if there is .. invalidate that session and create a new session.

..and dont forget to remove the session from Servlet context when the session timeout
Ko Ko Naing
Ranch Hand

Joined: Jun 08, 2002
Posts: 3178
Originally posted by Pradeep Bhat:

You mean to say that storing session id in database? How will it work?
How do I get the session using a session id?
[ January 29, 2004: Message edited by: Pradeep Bhat ]

Saving user id, when he/she first logged into the system with a flag in the database and using that flag to determine whether he/she has logged out from the system or not... And the next time when he/she logged in, check that flag to know whether he/she has logged out from the system or not... Of course it's not an efficient way...
Pradeep bhatt
Ranch Hand

Joined: Feb 27, 2002
Posts: 8919

Ko Ko,
Consider
1. User logs in
2. Database updated to logged status
3. Application server crashes
4. user tries to log in again
5. User cannot login because of the logged status (of course we could clear teh flags when the app server starts)
Ko Ko Naing
Ranch Hand

Joined: Jun 08, 2002
Posts: 3178
Originally posted by Pradeep Bhat:
Ko Ko,
Consider
1. User logs in
2. Database updated to logged status
3. Application server crashes
4. user tries to log in again
5. User cannot login because of the logged status (of course we could clear teh flags when the app server starts)

Yeah, Pradeep.... That's what I mean as well... It's nice that we have such conversation like we did b4..
How's ur SCWCD Beta exam? I know u could do it, couldn't u? :roll:
Pradeep bhatt
Ranch Hand

Joined: Feb 27, 2002
Posts: 8919

How's ur SCWCD Beta exam? I know u could do it, couldn't u?

Dont ask.
sunitha reghu
Ranch Hand

Joined: Dec 12, 2002
Posts: 937
Originally posted by Ko Ko Naing:

That mechanism can make sure that the system will invalidate the user's previous session, create a session and associate with the user as a newly created session... We are not supposed to wait until the session time out to login again... Hope it helps....


I know that but the que how to invalidate prev session in an efficient way
which no one could'nt answer till now.
Ko Ko Naing
Ranch Hand

Joined: Jun 08, 2002
Posts: 3178
Originally posted by sunitha ragam:


I know that but the que how to invalidate prev session in an efficient way
which no one could'nt answer till now.

Simply use request.getSession().invalidate(); or it will be automatically invalidated by the web container after the session time out... What we set in the database is just a flag to show that the the user did not log out in the past.... The session might already be invalidated a long time ago... Hope it is clear...
Jeanne Boyarsky
author & internet detective
Marshal

Joined: May 26, 2003
Posts: 30949
    
158

I wouldn't use a database for storing the session id. As pointed out earlier, there are synchonization issues. More importantly, I wouldn't want to have the overhead of accessing the database an extra time whenever any user does something.
I would create a map (in application scope) with the username as a key and the session as a value. A session listener could be used to delete the session from the map when the session is invalidated or timed out. If the user wants to log in a second time, this provides an easy place to locate the old session and explicitly invalidate it.
sunitha reghu
Ranch Hand

Joined: Dec 12, 2002
Posts: 937
Again I KNOW request.getSession().invalidate(); or it will be automatically invalidated by the web container after the session time out...
That is why in web.xml we write session time out to invalidate the session
for the web conmtainer to invalidate...
But the que here suppose the user logged with one browser open and again opened one more window and logged again. In that sceanrio how to invalidate the session. I think instead of going to db and setting the flag and all stuff which hits the performance, its better to get the ip and then invalidate
Hope its clear to you.
Originally posted by Ko Ko Naing:

Simply use request.getSession().invalidate(); or it will be automatically invalidated by the web container after the session time out... What we set in the database is just a flag to show that the the user did not log out in the past.... The session might already be invalidated a long time ago... Hope it is clear...

[ January 30, 2004: Message edited by: sunitha raghu ]
Ko Ko Naing
Ranch Hand

Joined: Jun 08, 2002
Posts: 3178
Originally posted by Jeanne Boyarsky:
I would create a map (in application scope) with the username as a key and the session as a value. A session listener could be used to delete the session from the map when the session is invalidated or timed out..

What if ur application is down? Then everything inside that map will be gone... As I have mentioned b4, using external resources like database is not an efficient way, they r not volatile... And it is not a smart way to save the session id... Pradeep Bhat have already mentioned it... So we have to use user id and a flag to mark the login status...
Ko Ko Naing
Ranch Hand

Joined: Jun 08, 2002
Posts: 3178
Originally posted by sunitha raghu:
I think instead of going to db and setting the flag and all stuff which hits the performance, its better to get the ip and then invalidate
Hope its clear to you.

Well if u r going to use the volatile variables, what if ur web app is down? U might want to have a look at my post above about it... Anyway, this discussion is some kind of worthy one... Let's try to solve it till we get the most reasonable answer...
sunitha reghu
Ranch Hand

Joined: Dec 12, 2002
Posts: 937
When the web app went down seesion got invalidated.
then i dont need to worry abt users multiple loggin.
Issue is not that.
{Hope its clear now}
Originally posted by Ko Ko Naing:

Well if u r going to use the volatile variables, what if ur web app is down? U might want to have a look at my post above about it... Anyway, this discussion is some kind of worthy one... Let's try to solve it till we get the most reasonable answer...
Jeanne Boyarsky
author & internet detective
Marshal

Joined: May 26, 2003
Posts: 30949
    
158

Sunitha,
The IP address isn't enough to be unique. At work we go through a proxy server so it looks as if everybody is going though the same IP.
The session id is unique. I'm not sure how we got away from that.
bharat nagpal
Ranch Hand

Joined: Oct 26, 2002
Posts: 76
So the answer is still not clear.
I would use a database and store the session related information in database. There is no point saying that if Database goes down! There is always some backup for the database. So the best way is store the user session info and if user logs in again, invalidate the previous messgage. I think other appraoches are quite difficult to manage.
Please suggest a better approach, if someone can?
 
It is sorta covered in the JavaRanch Style Guide.
 
subject: How to block multiple logins of the same user