File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

multiple sessions and single sign on

 
Jeanne Boyarsky
author & internet detective
Marshal
Posts: 33699
316
Eclipse IDE Java VI Editor
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
We have several applications under a single sign on (under WebSphere.) When a user logs out of one, the user should not be able to access any of the sessions. The sessions are all persisted in one database.

One idea for the design is to have a trigger that clears the database periodically of timed out sessions. There could be something else that forces all the sessions to be deleted if the user logs out. But this seems more complex than necessary for something that is common. Has anyone has done this before or have any comments on a better design?

[edited to fix typo]
[ October 21, 2004: Message edited by: Jeanne Boyarsky ]
 
David O'Meara
Rancher
Posts: 13459
Android Eclipse IDE Ubuntu
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
We once tried playing with a session listener, but you may run into real problems with WebSphere, since WAS doesn't fire a timeout event until it feels like it - this may be several minutes after the actual session expiry.

I've always been wary of persisting sessions in the database, I've seen applications go horribly wrong due to it. But, failing this you may be able to store the sessionid and expirey time in the db, then send logout HTTP requests on behalf of the user. As I said, I'm not too confident though
 
Adeel Ansari
Ranch Hand
Posts: 2874
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by David O'Meara:
But, failing this you may be able to store the sessionid and expirey time in the db, then send logout HTTP requests on behalf of the user. As I said, I'm not too confident though


if i am not wrong session expiry is something depends on max inactive intervals, right??

Ok, on a user sign-in we just store a session-id and the time-out for that particular user in Db. say for example,

sess038585 --------- 30

now the user is constantly using the system for last 29 minutes. so what will you do update the time-out in the DB or force a log-out for that particular user after a minute.
 
Adeel Ansari
Ranch Hand
Posts: 2874
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
jeanne, could you please elaborate your trigger idea a bit more?
 
Jeanne Boyarsky
author & internet detective
Marshal
Posts: 33699
316
Eclipse IDE Java VI Editor
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by David O'Meara:
I've always been wary of persisting sessions in the database, I've seen applications go horribly wrong due to it. But, failing this you may be able to store the sessionid and expirey time in the db, then send logout HTTP requests on behalf of the user. As I said, I'm not too confident though

David,
I thought that you have to perist the session to implement cloning?

I think you are on to something with the send "logout HTTP requests on behalf of the user." When a user initiates logout, if we could direct them to something that would log them out of all applications, we wouldn't have to handle it specially from a database perspective. This is definitely something I will investigate further.

Adeel,
Initially I thought the trigger would clean up sessions over 30 minutes old. But from David's explanation, I'm thinking that would happen automatically when the session times out.
 
David O'Meara
Rancher
Posts: 13459
Android Eclipse IDE Ubuntu
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Jeanne Boyarsky:

David,
I thought that you have to perist the session to implement cloning?


When you configure clustering in app servers, it is done by the server and managed as a part of its own session management. Any time I've seen someone implement theie own session management separate to that provided by the container (such as trying to track who's logged in and who isn't and prevent duplicate logins) things eventually go horribly wrong.

This is of course a broad generalisation and doesn't mean 'in all cases on all servers', but I guess it's a warning of something I've learnt to be wary of.
 
Jeff Wu
Greenhorn
Posts: 1
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
If the session management does not work, you have to implement youself, especially for today's portal technowledge, not mature enough. At the begining, something may be wrong, but at least you move forward to success.
 
Jeanne Boyarsky
author & internet detective
Marshal
Posts: 33699
316
Eclipse IDE Java VI Editor
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by David O'Meara:
When you configure clustering in app servers, it is done by the server and managed as a part of its own session management..

Right. We are using Websphere's database session persistence. I guess I meant that Websphere has to persist the database on your behalf.

I certainly don't want to be implementing anything WebSphere already does! But they don't provide support for logging out of multiple web apps at the same time, so we have to do that.

Jeff,
Luckily we aren't using anything that cutting edge. And welcome to JavaRanch!
 
I agree. Here's the link: http://aspose.com/file-tools
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic