• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

invalidate others session

 
Greenhorn
Posts: 5
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi to all!
How can I invalidate a session having it's session id?
I want to make a function that allow an administrator user
to invalidate the session of others users that are logged in
my web application (and so force them to log out).
Now I store the session id of all users that are logged in
on a db table.
But how can I call session.invalidate() on a particular session id?
 
Author and all-around good cowpoke
Posts: 13078
6
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
As I recall, early versions of the servlet API had a method to get at an arbitrary session by the ID but the methods were removed as a security risk.
You will have to think of another way to accomplish your goal.
Bill
 
Ranch Hand
Posts: 133
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Maybe you can signal the session to kill itself. Just intercept the calls and check if a flag has been risen in that case tell the session to invalidate itself. It will just add a filter to your app. The hard thing will be to keep record of all active sessions.
 
Ranch Hand
Posts: 161
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Since the servlet API no longer directly lets you get to other sessions,
one way this could be done would be to make a custom listener that implements the HttpSessionListener, and register it in the web.xml, so as a session is created in the system, your listener would store a reference to that session into a hash table (within the servlet context attributes?) possibly keyed by session identifier. It is not really cluster friendly, or reload of webapp friendly and you should remove the session from your map in the sessionDestroyed() of the listener.

Then your admin page can consume this map, and invoke invalidate() on selected sessions.
reply
    Bookmark Topic Watch Topic
  • New Topic