wood burning stoves*
The moose likes Servlets and the fly likes multiple sessions and single sign on Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Java » Servlets
Bookmark "multiple sessions and single sign on" Watch "multiple sessions and single sign on" New topic
Author

multiple sessions and single sign on

Jeanne Boyarsky
internet detective
Marshal

Joined: May 26, 2003
Posts: 30130
    
150

We have several applications under a single sign on (under WebSphere.) When a user logs out of one, the user should not be able to access any of the sessions. The sessions are all persisted in one database.

One idea for the design is to have a trigger that clears the database periodically of timed out sessions. There could be something else that forces all the sessions to be deleted if the user logs out. But this seems more complex than necessary for something that is common. Has anyone has done this before or have any comments on a better design?

[edited to fix typo]
[ October 21, 2004: Message edited by: Jeanne Boyarsky ]

[Blog] [JavaRanch FAQ] [How To Ask Questions The Smart Way] [Book Promos]
Blogging on Certs: SCEA Part 1, Part 2 & 3, Core Spring 3, OCAJP, OCPJP beta, TOGAF part 1 and part 2
David O'Meara
Rancher

Joined: Mar 06, 2001
Posts: 13459

We once tried playing with a session listener, but you may run into real problems with WebSphere, since WAS doesn't fire a timeout event until it feels like it - this may be several minutes after the actual session expiry.

I've always been wary of persisting sessions in the database, I've seen applications go horribly wrong due to it. But, failing this you may be able to store the sessionid and expirey time in the db, then send logout HTTP requests on behalf of the user. As I said, I'm not too confident though
Adeel Ansari
Ranch Hand

Joined: Aug 15, 2004
Posts: 2874
Originally posted by David O'Meara:
But, failing this you may be able to store the sessionid and expirey time in the db, then send logout HTTP requests on behalf of the user. As I said, I'm not too confident though


if i am not wrong session expiry is something depends on max inactive intervals, right??

Ok, on a user sign-in we just store a session-id and the time-out for that particular user in Db. say for example,

sess038585 --------- 30

now the user is constantly using the system for last 29 minutes. so what will you do update the time-out in the DB or force a log-out for that particular user after a minute.
Adeel Ansari
Ranch Hand

Joined: Aug 15, 2004
Posts: 2874
jeanne, could you please elaborate your trigger idea a bit more?
Jeanne Boyarsky
internet detective
Marshal

Joined: May 26, 2003
Posts: 30130
    
150

Originally posted by David O'Meara:
I've always been wary of persisting sessions in the database, I've seen applications go horribly wrong due to it. But, failing this you may be able to store the sessionid and expirey time in the db, then send logout HTTP requests on behalf of the user. As I said, I'm not too confident though

David,
I thought that you have to perist the session to implement cloning?

I think you are on to something with the send "logout HTTP requests on behalf of the user." When a user initiates logout, if we could direct them to something that would log them out of all applications, we wouldn't have to handle it specially from a database perspective. This is definitely something I will investigate further.

Adeel,
Initially I thought the trigger would clean up sessions over 30 minutes old. But from David's explanation, I'm thinking that would happen automatically when the session times out.
David O'Meara
Rancher

Joined: Mar 06, 2001
Posts: 13459

Originally posted by Jeanne Boyarsky:

David,
I thought that you have to perist the session to implement cloning?


When you configure clustering in app servers, it is done by the server and managed as a part of its own session management. Any time I've seen someone implement theie own session management separate to that provided by the container (such as trying to track who's logged in and who isn't and prevent duplicate logins) things eventually go horribly wrong.

This is of course a broad generalisation and doesn't mean 'in all cases on all servers', but I guess it's a warning of something I've learnt to be wary of.
Jeff Wu
Greenhorn

Joined: Oct 21, 2004
Posts: 1
If the session management does not work, you have to implement youself, especially for today's portal technowledge, not mature enough. At the begining, something may be wrong, but at least you move forward to success.
Jeanne Boyarsky
internet detective
Marshal

Joined: May 26, 2003
Posts: 30130
    
150

Originally posted by David O'Meara:
When you configure clustering in app servers, it is done by the server and managed as a part of its own session management..

Right. We are using Websphere's database session persistence. I guess I meant that Websphere has to persist the database on your behalf.

I certainly don't want to be implementing anything WebSphere already does! But they don't provide support for logging out of multiple web apps at the same time, so we have to do that.

Jeff,
Luckily we aren't using anything that cutting edge. And welcome to JavaRanch!
 
It is sorta covered in the JavaRanch Style Guide.
 
subject: multiple sessions and single sign on
 
Similar Threads
how to invalidate a session from another computer by using ip/MAC sessionid
Enabling SSO in J2EE application
Session Handling- How restrict to only one admin login
Java Servlets and Threads - Am I in trouble ?
Session sharing (JSP-PHP)