aspose file tools*
The moose likes Servlets and the fly likes How to disable multiple sessions on client's machine Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Servlets
Bookmark "How to disable multiple sessions on client Watch "How to disable multiple sessions on client New topic
Author

How to disable multiple sessions on client's machine

ganesh pol
Ranch Hand

Joined: Apr 29, 2005
Posts: 151
To Dear All,
i am facing problem in disabling multiple sessions on client's machine.

consider following example

user A and B are having account in Application app

user A starts application app by logging in .

since user A enter proper username password application authenticate user A

so now user A's session start.

user A is away from his machine for few moments

user B comes to same machine as where user A's session is still active

now user B opens new window and type application Url

login page for application app opens.

user B enters correct userName password

and user B's new session started on same machine as that of A is already running

now my question is how to disallow user B from starting new session

in this case i do not want to depends on cookies since user machine might disable it

is it possible for some one to give me code related to this problem

Thanks in advance
Prabhu Venkatachalam
Ranch Hand

Joined: Nov 16, 2005
Posts: 502

you mean, you want to stop creating NEW session from same physical machine?


Prabhu Venkatachalam<br />SCJP 1.4,SCWCD 1.4<br />prabhu.venkatachalam@gmail.com
Rahul Bhattacharjee
Ranch Hand

Joined: Nov 29, 2005
Posts: 2308
There is a solution for this but how this would behave in case of proxy on the way I do not know. To my best of knowledge this might not work with proxy on the way.

Each time you create a new session after validating a user store the IP of the machine from which the request has originated using
Interface ServletRequest ; method getRemoteAddr and store it in application level storage.
So whenever you get a request for login , check that whether that IP is already there in the list , if not put that ip in the list and continue with authintication.

This way you can restrict one login to the application from one machine.


Rahul Bhattacharjee
LinkedIn - Blog
Rahul Bhattacharjee
Ranch Hand

Joined: Nov 29, 2005
Posts: 2308
Sorry for multiple posts.
There is another simpler way for this but that uses cookies.
Adeel Ansari
Ranch Hand

Joined: Aug 15, 2004
Posts: 2874
Use cookies.
Read the cookie, If someone is already logged in then just forward the request to the home page.

Otherwise, logout the former user and the let the new one logged in.
[ November 09, 2006: Message edited by: Adeel Ansari ]
Prabhu Venkatachalam
Ranch Hand

Joined: Nov 16, 2005
Posts: 502

hi ganesh,

May I know why you want to do this?
madhup narain
Ranch Hand

Joined: Dec 14, 2004
Posts: 148
hi,
I encountered a requirement similar to the one posted above.

The scenario that i was dealing was that of a 'cash collection terminal that would enable a cash collector to login. For some reason we wanted only one login to persist from the same physical machine'

Anyways we scrapped that requrement for other reasons.

But the idea of having only one login session based on the IP address is also what came to our minds when we were working on it but we didnt take it forward.

You may like to query others on what they have to say in the same respect


Regards


Money for nothing and Java for Free
SCJP, SCWCD
ganesh pol
Ranch Hand

Joined: Apr 29, 2005
Posts: 151
first of all thanks for sending huge response
Proxy server is also issue

and what happened if user disable cookies on his machines ???
Ben Souther
Sheriff

Joined: Dec 11, 2004
Posts: 13410

Then it won't work.
It also won't work if the person has more than one browser on their machine.
Blocking by IP may inadvertently block out a whole office of people working under the same sub-net.

I would challenge the requirement, or, at least make sure that the people who want this understand that web applications exist in a stateless environment and that things like this can never be 100% reliable.


Java API J2EE API Servlet Spec JSP Spec How to ask a question... Simple Servlet Examples jsonf
Rahul Bhattacharjee
Ranch Hand

Joined: Nov 29, 2005
Posts: 2308
I certainly argee with Ben ; there might not be a 100% trusted solution for this and proxy is certainly a problem.
Rauhl Roy
Ranch Hand

Joined: Aug 01, 2006
Posts: 401

Hi,
When we use Yahoo! mail it allows us to open as many as accounts as possible. But when you Sign Out even one account all other accounts automatically asks for loging -in again.

Do not you think Yahoo! is also facing same kind of problem.

regards,

Rahul.
Rahul Bhattacharjee
Ranch Hand

Joined: Nov 29, 2005
Posts: 2308
The original post says to solve this issue without using cookies.(and that is the issue here).Well there is a simple solution to this using cookies.Probably Yahoo is using that approach.
Anupam Sinha
Ranch Hand

Joined: Apr 13, 2003
Posts: 1088
Though what I am mentioning is not neat but this hack may be helpful. You can use Javascript to get the IP Address (local IP address) of the logged in user. Send the IP Address to the server. Check if you also have an entry for the IP address in your hash. In case you have then check the IP address of the logged in user from servlet(getRemoteAddr). In case you also have an entry for that user you know you have another request from the same machine. I haven't tried this solution.
Rahul Bhattacharjee
Ranch Hand

Joined: Nov 29, 2005
Posts: 2308
Originally posted by Anupam Sinha:
Though what I am mentioning is not neat but this hack may be helpful. You can use Javascript to get the IP Address (local IP address) of the logged in user.


IP's for devices inside a network are same in all networks that has connection to internet.The devices (computers) withint the network have a similar pattern for assigning IP to computers in the network.So I do not think that this would be a complete solution to this.
Anupam Sinha
Ranch Hand

Joined: Apr 13, 2003
Posts: 1088
Originally posted by Rahul Bhattacharjee:


IP's for devices inside a network are same in all networks that has connection to internet.The devices (computers) withint the network have a similar pattern for assigning IP to computers in the network.So I do not think that this would be a complete solution to this.


Let me explain:

Netwrok A has IP's from 192.168.0.1 to 192.168.0.20.
Now netwrok A assigned a proxy as 202.XXX.XXX.XXX.

So when the page sends in the local IP address from a computer running on IP 192.168.0.2 it would be 192.168.0.2. When you would do a getRemoteAddr() on the host you would get 202.XXX.XXX.XXX. Then you determine a unique PC with this combination. Or simply assume the IP Address as 192.168.0.2_202.XXX.XXX.XXX in your hash. Whenever a request comes in check if the value is present or not.
Rahul Bhattacharjee
Ranch Hand

Joined: Nov 29, 2005
Posts: 2308
Combination of IP sounds great.Yeah that should work.
;-)
pawank gupta
Ranch Hand

Joined: Jun 07, 2006
Posts: 34
why dont you use sso
Rahul Bhattacharjee
Ranch Hand

Joined: Nov 29, 2005
Posts: 2308
I do not think SSO is for this purpose.
In short SSO is for : Switching between application which have been integrated under the same umbrella with a single login.
Mahboob Ali
Greenhorn

Joined: Oct 04, 2013
Posts: 3
this is sample code to allow only one session per physical mechine

import javax.servlet.*;
import javax.servlet.http.*;
import java.io.*;
import java.util.*;
public class FirstServlet extends HttpServlet
{

public void doGet(HttpServletRequest request,HttpServletResponse response)throws ServletException,IOException{
PrintWriter out=response.getWriter();
ServletContext context=getServletContext();
HttpSession session=request.getSession();

String ipaddress=request.getRemoteAddr();

Integer count=(Integer)session.getAttribute("hitCount");


if(ipaddress.equals(context.getAttribute("uniqueIp"))){

count++;// perform your actual session operation here

out.println("Sorry! your IP Address has already been using a session object<br>");
}
else{
if(count==null){
count=1;
}else{
count++;
}
context.setAttribute("uniqueIp",ipaddress);
}



session.setAttribute("hitCount",count);
out.println("the Number of request from this session and "+ipaddress+" ip adress is "+count+ "<br>"); //or context.getAttribute("hitCount")
out.println("<a href='"+request.getContextPath()+"/index.html'>Home</a>");

}


public void doPost(HttpServletRequest request,HttpServletResponse response)throws ServletException,IOException{
doGet(request,response);
}

}
Jeanne Boyarsky
internet detective
Marshal

Joined: May 26, 2003
Posts: 29249
    
139

I don't like this IP address thing. What if two machines come from the same public IP (or proxy.) What if someone signs in from a dynamic IP and someone else gets it later?

If you must do IP addresses, I think a better design is to ask whether the new user wants to abandon logging in or to forcibly log out the previous user.


[Blog] [JavaRanch FAQ] [How To Ask Questions The Smart Way] [Book Promos]
Blogging on Certs: SCEA Part 1, Part 2 & 3, Core Spring 3, OCAJP, OCPJP beta, TOGAF part 1 and part 2
Pat Farrell
Rancher

Joined: Aug 11, 2007
Posts: 4637
    
    5

Jeanne Boyarsky wrote:I don't like this IP address thing. What if two machines come from the same public IP (or proxy.) What if someone signs in from a dynamic IP and someone else gets it later? If you must do IP addresses, I think a better design is to ask whether the new user wants to abandon logging in or to forcibly log out the previous user.


I agree. More strongly, checking the IP address will not work well. We live in a world of dynamic IP assignment and multiple NAT (network address translation) through the network. A user can log in, and a few seconds later, his ISP will change his IP address.

Also, be careful with your requirements. Is the user allowed to have multiple tabs open in his browser at once? How about multiple browsers, say IE, Chrome and Firefox all at once? [Hint, the cookie solution will NOT work with multiple browsers]
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: How to disable multiple sessions on client's machine
 
Similar Threads
session object behaves like application (scope)
Socket connection from behind the Proxy Server
Session Handling- How restrict to only one admin login
sequre login in web based application
JSF Beginner