wood burning stoves*
The moose likes Servlets and the fly likes Session Handling- How restrict to only one admin login Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Servlets
Bookmark "Session Handling- How restrict to only one admin login" Watch "Session Handling- How restrict to only one admin login" New topic
Author

Session Handling- How restrict to only one admin login

Pravin Jagan
Greenhorn

Joined: Feb 28, 2005
Posts: 27
Hi,
I have a webapplication with a admin login. The problem is more than one admin user can login at a time from different machines.But i would like to restrict it to only one admin user at any time. Can any one give me some input on how to go about this
thanks in advance
pravin
Pradeep bhatt
Ranch Hand

Joined: Feb 27, 2002
Posts: 8904

Store a flag in Servlet context object when the admin logs in. When the admin logs out or when session timeout occurs remove the entry. Take of synchroniztion.


Groovy
Ben Souther
Sheriff

Joined: Dec 11, 2004
Posts: 13410

Originally posted by Pradeep Bhat:
Store a flag in Servlet context object when the admin logs in. When the admin logs out or when session timeout occurs remove the entry. Take of synchroniztion.



Then what happens if the Admin user closes his browser or if his/her browser crashes? Will that admin need to wait until the session expires before logging back in?


Java API J2EE API Servlet Spec JSP Spec How to ask a question... Simple Servlet Examples jsonf
Pradeep bhatt
Ranch Hand

Joined: Feb 27, 2002
Posts: 8904

Originally posted by Ben Souther:



Then what happens if the Admin user closes his browser or if his/her browser crashes? Will that admin need to wait until the session expires before logging back in?


Do you have a better way of implementation?
Ben Souther
Sheriff

Joined: Dec 11, 2004
Posts: 13410

Personally, I don't think there is a good way to do this.

What you've mentioned is probably as good as it gets.
Adeel Ansari
Ranch Hand

Joined: Aug 15, 2004
Posts: 2874
Originally posted by Pradeep Bhat:
Do you have a better way of implementation?


Yes. Just a complement to your idea. We can transfer all the info from previous session to the new session and invalidate the previous one. Or just invalidate the previous one upon new admin login request. Ofcourse, it would cause some other disastrous issues. But we can check the machine IP from where the request comes in, if same then do it otherwise wait for the time out.
Ben Souther
Sheriff

Joined: Dec 11, 2004
Posts: 13410

Two people, working for the same company, will often be under the same sub-net. This means that they will both register the same IP.

I would agree that two admins should not be using the same username/password but in the real world, this happens a lot. In fact if it didn't happen, there wouldn't be much need to restrict to one login at a time in the first place.

Now, if you combine Adeel's idea with a cookie that can prove that both logins were from the exact same machine, this could be helpful in making sure that one admin doesn't have two browser instances open at the same time. The problem with this is that, if the user opens a new instance of MSIE by typing CTL+N then both instances will share the same cookie space, both for session and non-session cookies. So, even if the session for browser A is invalidated, it will continue running the app but the session for browser B.

In short, there is no gracefull way (that I've seen) to make sure that there is only one login for a given user at a time.
[ April 16, 2005: Message edited by: Ben Souther ]
Pravin Jagan
Greenhorn

Joined: Feb 28, 2005
Posts: 27
Well, i am able to restrict admin login to one at time by saving a flag in the ServletContext. but i got another issue.. how should i handle the situation incase the user (accidently) closes the window without logging out?( as pointed out by Ben)
thanks in advance
Pradeep bhatt
Ranch Hand

Joined: Feb 27, 2002
Posts: 8904

Originally posted by Pravin Jagan:
Well, i am able to restrict admin login to one at time by saving a flag in the ServletContext. but i got another issue.. how should i handle the situation incase the user (accidently) closes the window without logging out?( as pointed out by Ben)
thanks in advance


When the Session times out remove the flag. Yes until the session times out user cannot log.
Srinivasa Raghavan
Ranch Hand

Joined: Sep 28, 2004
Posts: 1228
We used a session listener to update the flag in the DB.

There was a static fame in our application, the html page in the static frame has a unload method, this was used to track , when the user accidently closes the browser. This unload method opens a new window or a jsp, that invalidates the session, the session listener get notified & the flag gets updated.


Thanks & regards, Srini
MCP, SCJP-1.4, NCFM (Financial Markets), Oracle 9i - SQL ( 1Z0-007 ), ITIL Certified
Ben Souther
Sheriff

Joined: Dec 11, 2004
Posts: 13410

Originally posted by Srinivasa Raghavan:
We used a session listener to update the flag in the DB.

There was a static fame in our application, the html page in the static frame has a unload method, this was used to track , when the user accidently closes the browser. This unload method opens a new window or a jsp, that invalidates the session, the session listener get notified & the flag gets updated.


This will certainly help in a large number of cases.
It will not work when the browser or OS crashes.
It also won't work if the hardware or connection fails and the admin moves to another machine in the office.

Just be certain to make sure that whomever is paying for this app (your client or your management) understands that this requirement is not completely possible in a webapp. There will always be cases where it will either not work or where it will lock out an admin for the remainder of the session timeout span.
Let them know that, while you can get close, there will always be limitations and make sure they understand what they are.

If it works in 95% of cases you can be sure they will treat the other 5% as a bug and expect you to fix it.
Pravin Jagan
Greenhorn

Joined: Feb 28, 2005
Posts: 27
Hi all,
Following the above discussion, i have to tried to implement single login by using HttpSessionListener. The problem arises as my application has 2 types of users (or roles) , admin and developer, and im trying to restrict only the admin login to one at a time.

And my listener class is as follows



It works fine as long as a admin has logged in and other admin user tries to login. But when a developer user logs in and logs out, an admin user would be able to login eventhough an admin is already logged in
So what i feel is the listener method sessionDestroyed() gets called. I know there is a flaw in my logic, but not able find how to resolve.
In a nutshell, what im doing is, once a admin is logged in , is set a flag in the ServletContext, and no admin would be able to login if the ServletContext attribute has value.a And when the admin logs out, using the sessionlisteners method, i remove the value.
So can anyone help me with this issue.
thanks in advance
James Carman
Ranch Hand

Joined: Feb 20, 2001
Posts: 580
Maybe this is a dumb question (I'm full of 'em), but why do you need to restrict the admins to one at a time? Are you afraid that two of the admins might simultaneously try to edit the same data? You can avoid that case quite easily using optimistic locking.


James Carman, President<br />Carman Consulting, Inc.
K Riaz
Ranch Hand

Joined: Jan 08, 2005
Posts: 375
Originally posted by Pravin Jagan:


It works fine as long as a admin has logged in and other admin user tries to login. But when a developer user logs in and logs out, an admin user would be able to login eventhough an admin is already logged in
So what i feel is the listener method sessionDestroyed() gets called. I know there is a flaw in my logic, but not able find how to resolve.
In a nutshell, what im doing is, once a admin is logged in , is set a flag in the ServletContext, and no admin would be able to login if the ServletContext attribute has value.a And when the admin logs out, using the sessionlisteners method, i remove the value.
So can anyone help me with this issue.
thanks in advance



Hello Pravin ,

I implemented a similar system, except that it checked for any duplicate user (not just admin). However, the underlining design was almost identical to your problem. Basically, you just need to maintain a list of all users and you can do whatever you like. It looks like you're almost there, so here is the way I did it.

I created a standalone class called "UserManager". This class implemented the singleton pattern so only one UserManger instance was available at all times. It had a HashMap (to maintain all sessions), with public methods to get a certain type of user (e.g. userExist("admin") would return true if the HashMap contained a reference to a session which had a "user" attribute whose value was "admin", or false otherwise). This class also had a static methods to add and remove sessions.

Now the fun part, inside the HttpSessionListener class which you implement, in sessionCreated(..), you just need to add a reference of the new session to the UserManager by doing something such as "UserManager.addSession(session)". In sessionDestroyed(..), you need to remove it "UserManager.remove(session.getID()). This way you always have a list of users throughout the whole life of your web application.

So now, in your entry point servlet where users login, you simply get an instance of UserManager, ask it whether a session exists with certain attributes (with certain values) and either add the session (such as a new admin) or send an error to the client if you don't want to add the session (e.g. "admin" already exists).
 
Don't get me started about those stupid light bulbs.
 
subject: Session Handling- How restrict to only one admin login
 
Similar Threads
How to use code for LoginForm
How to display Jsp page by Different login
how can i restrict user to login from different machine if already login?
servlets/JSP
Session Management Still weird