This week's book giveaway is in the OCPJP forum.
We're giving away four copies of OCA/OCP Java SE 7 Programmer I & II Study Guide and have Kathy Sierra & Bert Bates on-line!
See this thread for details.
The moose likes Servlets and the fly likes Prevent Duplicate Logins Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of OCA/OCP Java SE 7 Programmer I & II Study Guide this week in the OCPJP forum!
JavaRanch » Java Forums » Java » Servlets
Bookmark "Prevent Duplicate Logins" Watch "Prevent Duplicate Logins" New topic
Author

Prevent Duplicate Logins

K Riaz
Ranch Hand

Joined: Jan 08, 2005
Posts: 375
I have a simplet servlet which maintains active users. They are active when they successfully login, and deamed inactive if they manually click on the logout button from the client, which is used to remove them from a HashMap of current users.

The problem is that if the user just closes the browser, I don't know how to determine this to remove them from the HashMap of active users. I realise that no messege is sent from the client to the server when a user agent is closed. So how can I do this? I already have a session timeout, but this is not so good because if the user accidently closes the browser, they will not be able to log back in until the old session times out. The whole point of my servlet is to prevent duplicate login's, so they will be locked out until the session terminates, before being able to get back in again.

Can anyone think of a better solution to prevent duplicate logins? I simply store the username in the HashMap as a String object (the username parameter), and everytime a client tries to login, the servlet checks to see if the username matches an existing username in the HashMap, if not, they are authenticated and if successful, added to the HashMap ready for the next login attempt.

I have already searched but found nothing concrete.
[ March 30, 2005: Message edited by: Kashif Riaz ]
Jeffrey Spaulding
Ranch Hand

Joined: Jan 15, 2004
Posts: 149
Kashif,

no concrete? But "Es kommt drauf an, was man draus macht "

... anyway

I think there is no elegant way to solve this. This question arises on
a very regular base here. We have much better persistence with Servlets
than we had in the olde CGI days, but since essential client events
simply dont exist( having a "browserInstanceClosed" Event in JavaScript
would be paradise ) you have to cope with this annoying phenomenon.

So closing the window means leaving the context of authenticated usage
for the user.

Only thing i could imagine would be the use of a handcarved session-cookie
on the client side, but that would mean cookies need to be enabled for your
application to run.

And since we can read so many bad things in the popular computer press about
cookies (drink all the cold beer in the fridge and replace it with lukewarm
diet pepsi, tell your wife the phonenumber of your girlfriend and even
worse - vice versa) chances are the coward user will have cookies disabled.




J.
[ March 30, 2005: Message edited by: Jeffrey Spaulding ]
Pete Harris
Ranch Hand

Joined: Feb 05, 2003
Posts: 39
Kashif,

I (along with about 1 million other people, it seems) had this problem and 'solved' it by checking the hash map of logged in users to see if the user was already logged in. If so I transferred all the session attributes over to the newly created session and automatically invalidated the old one.

This had the effect of restoring a user's old session if they logged in before the session timed out, otherwise a new session was created from scratch. It's not a particularly elegant solution and causes quite interesting problems if a user tried to log in twice on different browsers, but it was better than nothing.

cheers,
Pete
Sripathi Krishnamurthy
Ranch Hand

Joined: Mar 07, 2005
Posts: 232
There is a interesting way to solve this.
There is one function in javascript which is onUnload() function. When a browser window is closed, then this unlooad function is called. use the code and tell us all whether this can solve your problem. By the way this works only with IE. Yet to research in Netscape and Mozilla.



In the servlet "LogOff" remove the user from the HashMap and give a message which says "you have been logged off". The message will appear in a popup window.

Hope this helps. Let me know if this has solved your problem.
K Riaz
Ranch Hand

Joined: Jan 08, 2005
Posts: 375
Thanks for the replies.

I tried the javascript but I cannot get it to submit the form if the user agennt is closed:



Here, after the alert is called, nothing is sent to the server.

[ March 30, 2005: Message edited by: Kashif Riaz ]
[ March 30, 2005: Message edited by: Kashif Riaz ]
Sripathi Krishnamurthy
Ranch Hand

Joined: Mar 07, 2005
Posts: 232
<body onUnload="unloadEvent()">
<form id="pageForm" action="./controller" method="POST" name="form"><input type="hidden" name="operation" value="logout" /></form>
</body>

can you try this?
K Riaz
Ranch Hand

Joined: Jan 08, 2005
Posts: 375
Thanks I got it working. It also works if you supply a href in the html.
Sripathi Krishnamurthy
Ranch Hand

Joined: Mar 07, 2005
Posts: 232
Originally posted by Kashif Riaz:
Thanks I got it working. It also works if you supply a href in the html.


So you are able to delete users from the HashMap when the browser is closed using the javascript? where the href come into picture?
Adeel Ansari
Ranch Hand

Joined: Aug 15, 2004
Posts: 2874
I am thinking of something else, something server-side. It is not cookies too.

Why not let the user login again and if entry already exist in map then transfer all the stuff from this session to the new session and after that delete the old entry, invalidate that session, and make a new entry.

But yes it has a problem. Assume, a user is already logged in and using the app and meanwhile same user do login from other machine then the first one automatically logged out. Dont know if it is Ok for you?
Shailesh Chandra
Ranch Hand

Joined: Aug 13, 2004
Posts: 1081

Originally posted by Adeel Ansari:
I am thinking of something else, something server-side. It is not cookies too.


I agree with adeel, also not cookies because deleting cokkies may cause a some other condition to handle.but server side solution would be more reliable


Gravitation cannot be held responsible for people falling in love ~ Albert Einstein
K Riaz
Ranch Hand

Joined: Jan 08, 2005
Posts: 375
Originally posted by Sripathi Krishnamurthy:


So you are able to delete users from the HashMap when the browser is closed using the javascript? where the href come into picture?


The href just sends a request to the server with the logout attribute as a parameter (cleaner way than using a form). Once the request is received by the server, it can remove the user from the HashMap.

Originally posted by Adeel Ansari:

Why not let the user login again and if entry already exist in map then transfer all the stuff from this session to the new session and after that delete the old entry, invalidate that session, and make a new entry.


I cannot do this for my application because if someone else is logged in with the same credientials as an other user, they should simply be sent a message of "Username in use". It's a requirement
[ March 31, 2005: Message edited by: Kashif Riaz ]
Yuriy Zilbergleyt
Ranch Hand

Joined: Dec 13, 2004
Posts: 429
I cannot do this for my application because if someone else is logged in with the same credientials as an other user, they should simply be sent a message of "Username in use". It's a requirement

I think that's a pretty hard requirement to satisfy with web applications because of the already mentioned possibility of a user closing a browser. What might work, though it won't be pretty, is setting the session timeout very low, and using asynchronous javascript (like the XmlHttpRequest object) on every page to keep the session alive by sending a message to the server every so often.

-Yuriy
Stan James
(instanceof Sidekick)
Ranch Hand

Joined: Jan 29, 2003
Posts: 8791
I used to use a system with a logon HERE option that invalidated any other session the same username might have. You could tell the user that the username is already in use and ask if they want to log on anyhow. I don't know any better solution for somebody who kicked the network cable loose and doesn't want to wait for the session to time out.

Do users share usernames? This kind of thing just doesn't work out well if everybody in some department logs in with the same id.


A good question is never answered. It is not a bolt to be tightened into place but a seed to be planted and to bear more seed toward the hope of greening the landscape of the idea. John Ciardi
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Prevent Duplicate Logins