This week's book giveaway is in the OCAJP 8 forum. We're giving away four copies of OCA Java SE 8 Programmer I Study Guide and have Edward Finegan & Robert Liguori on-line! See this thread for details.
i want to restrict the user login only if his previous session is closed.For that i have to validate his previous session using his sessionid.
Could you please explain, what is meant by "previous session" here? It is required that a user should be logged in only once into the application i.e. cannot login twice at the same time. For such a requirement you could consider maintaining a list of logged in users in the ServletContext and prevent login if the name already figures in this list.
I do not think "HttpSession" would serve the purpose, neither it is the correct place as it is useful for stuff which happens within a session, not across sessions.
Thanks and Regards
Giovanni De Stefano
Joined: Aug 17, 2004
I am not sure I understood your question properly (if not please rephrase).
Keep in mind that the Client to a Servlet is a Browser (name it Internet Explorer).
If you run the code in my previous post, you will see that the fist time the Servlet is accessed a session is created and isNew() evaluates true.
Any other time the user accesses the Servlet from the same Browser window (Internet Explorer) or from any newly created Browser window (still Internet Explorer) isNew() evaluates false, thus the other branch of code is executed.
Obviously, if you access the Servlet from a different Browser (name it Firefox) a new session is created.
I was just trying to answer the question, what I would have done is to check both the session and the login status. In pseudo code:
1) create a session 2) if the session is new then redirect to login 3) if login successful then remember loginstatus 4) if the session is not new and the user is not logged in then redirect to login 5) else (session not new and user logged in) do whatever you have to...
I hope this clarifies my point of view.
If I am wrong, please provide details why I am wrong (are we all here to learn, aren't we?).
Cheers, Giovanni [ September 17, 2008: Message edited by: Giovanni De Stefano ]
I think the code above is doing the same thing as Giovanni's only the other way round(with extra code). It will fail if the user has two different browsers to make the request. Also I dont understand the reason for sending a 404- page not found when the user is not logged in.