aspose file tools*
The moose likes Servlets and the fly likes Preventing multiple concurrent use of user details Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Servlets
Bookmark "Preventing multiple concurrent use of user details" Watch "Preventing multiple concurrent use of user details" New topic
Author

Preventing multiple concurrent use of user details

Daniel Dalton
Ranch Hand

Joined: Mar 20, 2005
Posts: 146
When a user logs into a webapp, I tend to store a Bean representing the user in the user session. If that bean is not present in the session on any request, the user is returned to the login page to re-authenticate.

For any given userid at any given moment, I've been asked to make the application prevent the userid from being used concurrently. In other words, to prevent "joe bloggs" from being logged on at two or more terminals at once.

The problem is, I don't see how I can reliably do this. As far as I know Servlets 2.3 doesn't provide a means by which to examine other sessions, so I can't check that way. I could in theory record details in the database, but then there is the issue of reliably removing it when the session expires or the user logs out.

I don't have access to a full J2EE server - it only supports Servlets and JSP, so I can't use anything from EJB.

Any ideas?
Ben Souther
Sheriff

Joined: Dec 11, 2004
Posts: 13410

Originally posted by Daniel Dalton:

The problem is, I don't see how I can reliably do this.


"Reliably" is the keyword here and you're right.
This topic has been discussed here several times and I've yet to see a solution that was reliable.

HTTP is a stateless protocol and doesn't behave the same way that statefull terminal sessions do.

Connections hiccup.
Browsers crash.
They also behave differently regarding session cookies depending on how you open them.


Java API J2EE API Servlet Spec JSP Spec How to ask a question... Simple Servlet Examples jsonf
Daniel Dalton
Ranch Hand

Joined: Mar 20, 2005
Posts: 146
Thanks Ben,

I thought I'd better check in case I was missing something glaringly obvious!
Ben Souther
Sheriff

Joined: Dec 11, 2004
Posts: 13410

Again, you can find long discussions on the issue if you search this (and the JSP forum).
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Preventing multiple concurrent use of user details
 
Similar Threads
Prevent multiple concurrent logins from same user in clustered env
Best practice for secure login authorisation
Stateful Session bean
Entity Bean unavailable to me
Single reference between Instances