permaculture playing cards*
The moose likes Servlets and the fly likes invalidate others session Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Java » Servlets
Bookmark "invalidate others session" Watch "invalidate others session" New topic
Author

invalidate others session

gas das
Greenhorn

Joined: May 14, 2006
Posts: 5
Hi to all!
How can I invalidate a session having it's session id?
I want to make a function that allow an administrator user
to invalidate the session of others users that are logged in
my web application (and so force them to log out).
Now I store the session id of all users that are logged in
on a db table.
But how can I call session.invalidate() on a particular session id?
William Brogden
Author and all-around good cowpoke
Rancher

Joined: Mar 22, 2000
Posts: 12761
    
    5
As I recall, early versions of the servlet API had a method to get at an arbitrary session by the ID but the methods were removed as a security risk.
You will have to think of another way to accomplish your goal.
Bill
Jaime M. Tovar
Ranch Hand

Joined: Mar 28, 2005
Posts: 133
Maybe you can signal the session to kill itself. Just intercept the calls and check if a flag has been risen in that case tell the session to invalidate itself. It will just add a filter to your app. The hard thing will be to keep record of all active sessions.


She will remember your heart when men are fairy tales in books written by rabbits.<br /> As long as there is duct tape... there is also hope.
Travis Hein
Ranch Hand

Joined: Jun 06, 2006
Posts: 161
Since the servlet API no longer directly lets you get to other sessions,
one way this could be done would be to make a custom listener that implements the HttpSessionListener, and register it in the web.xml, so as a session is created in the system, your listener would store a reference to that session into a hash table (within the servlet context attributes?) possibly keyed by session identifier. It is not really cluster friendly, or reload of webapp friendly and you should remove the session from your map in the sessionDestroyed() of the listener.

Then your admin page can consume this map, and invoke invalidate() on selected sessions.


Error: Keyboard not attached. Press F1 to continue.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: invalidate others session
 
Similar Threads
how to invalidate a session from another computer by using ip/MAC sessionid
Session Killing
Issue in session manegement
Session Invalidate
How to get session object by giving Session Id to kill another session in Websphere