This week's book giveaway is in the OCMJEA forum. We're giving away four copies of OCM Java EE 6 Enterprise Architect Exam Guide and have Paul Allen & Joseph Bambara on-line! See this thread for details.
When a user logs into a webapp, I tend to store a Bean representing the user in the user session. If that bean is not present in the session on any request, the user is returned to the login page to re-authenticate.
For any given userid at any given moment, I've been asked to make the application prevent the userid from being used concurrently. In other words, to prevent "joe bloggs" from being logged on at two or more terminals at once.
The problem is, I don't see how I can reliably do this. As far as I know Servlets 2.3 doesn't provide a means by which to examine other sessions, so I can't check that way. I could in theory record details in the database, but then there is the issue of reliably removing it when the session expires or the user logs out.
I don't have access to a full J2EE server - it only supports Servlets and JSP, so I can't use anything from EJB.