This week's book giveaway is in the Servlets forum.
We're giving away four copies of Murach's Java Servlets and JSP and have Joel Murach on-line!
See this thread for details.
The moose likes Servlets and the fly likes How to invalidate user's session forcefully Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Murach's Java Servlets and JSP this week in the Servlets forum!
JavaRanch » Java Forums » Java » Servlets
Bookmark "How to invalidate user Watch "How to invalidate user New topic
Author

How to invalidate user's session forcefully

Vymokesha Jagwani
Greenhorn

Joined: May 24, 2010
Posts: 8
Hi All,

I want to invalidate user's session when user log in from different remote location in web application.I have session ID and user name of particular user so when i try to use like this HttpSessionContext context=request.getSession().getSessionContext();
context.getSession(sessionID).invalidate();
this is giving null pointer.
and according to sun this method is depreciated for security reason.
so kindly is there any alternative way we have many thing like remote ip address,SessionListner,ContextListner etc.

thanks in advance....
Sagar Rohankar
Ranch Hand

Joined: Feb 19, 2008
Posts: 2902
    
    1

The best method to invalidate session or not allowing a user to have more than one session, is to create the context scoped map and store the session id and all the relevant info of user into the map. Whenever the user creates the new session just check whether the user is present in the context map or not.


[LEARNING bLOG] | [Freelance Web Designer] | [and "Rohan" is part of my surname]
Vymokesha Jagwani
Greenhorn

Joined: May 24, 2010
Posts: 8
i Have do like this

HttpSession session = se.getSession();
ServletContext context = session.getServletContext();
HashMap activeUsers = (HashMap)context.getAttribute("activeUsers");
activeUsers.put(session.getId(), session);
context.setAttribute("activeUsers", activeUsers);


in sessionCreated method of sessionListner in i successsfully get the list of active user's name and there session id but when i do like that

HttpSessionContext context=request.getSession().getSessionContext();
ServletContext sc=request.getSession().getServletContext();
HashMap activeUsers = (HashMap)sc.getAttribute("activeUsers");
HttpSession session=request.getSession();
if(activeUsers.containsKey(this.sessionID)==true){
session.invalidate();
}

it will not allow and through excapetion org.apache.jasper.JasperException
so here is tricky one .so how solve here .

thank you very much .
Sagar Rohankar
Ranch Hand

Joined: Feb 19, 2008
Posts: 2902
    
    1

Use the code tag, like I use.

Vymokesha Jagwani wrote:

What is this.sessionID, don't you think you have to use session.getId()
Vymokesha Jagwani wrote:
it will not allow and through excapetion org.apache.jasper.JasperException

post the full stack trace while reporting the exception.
Vymokesha Jagwani
Greenhorn

Joined: May 24, 2010
Posts: 8
basically this.sessionId is the selected user's sessionId which is comming from jsp page ...
Sagar Rohankar
Ranch Hand

Joined: Feb 19, 2008
Posts: 2902
    
    1

Then you've to validate that session id, I mean, are you sure that id is coming from JSP is same as that of existing users and not newly created by JSP.
Pat Farrell
Rancher

Joined: Aug 11, 2007
Posts: 4646
    
    5

Vymokesha Jagwani wrote:I want to invalidate user's session when user log in from different remote location in web application

Others have helped you make progress on how to do this, but I want to ask what you are trying to do, really, and why you think this is a good idea?
What do you mean, multiple logins? How about two or more windows in a Firefox or Chrome browser? How about people who run both Firefox and Chrome, which are separate applications, on the same computer? What about shared IP connections on separate computers? Can I log into your application with my desktop computer and my iPad?
Vymokesha Jagwani
Greenhorn

Joined: May 24, 2010
Posts: 8
okay i am telling you the actually scenario. my requirement is that i am administrator and multiple users login through remote locations, i want to monitor the users so i want to keep access to show me list of active users and which i have done and also access to invalidate that particular user.and this.sessionId is conformed coming from jsp.
I have also mention that i used http sessionContext's method getSession(String sessionID) but which is depreciated.
Sagar Rohankar
Ranch Hand

Joined: Feb 19, 2008
Posts: 2902
    
    1

Vymokesha Jagwani wrote:...and also access to invalidate that particular user.and this.sessionId is conformed coming from jsp.

I don't know how have you design your servlet/action, but if you're getting the id from JSP as a request param, then simply do something as follow
Pat Farrell
Rancher

Joined: Aug 11, 2007
Posts: 4646
    
    5

Vymokesha Jagwani wrote:okay i am telling you the actually scenario. ....

I can't make you answer my questions, but you have not addressed them at all.

1) What do you mean, multiple logins?
2) How about two or more windows in a Firefox or Chrome browser?
3) How about people who run both Firefox and Chrome, which are separate applications, on the same computer?
4) What about shared IP connections on separate computers?
5) Can I log into your application with my desktop computer and my iPad?

I believe that any real set of requirements has to specifically decide answers to these five questions, and the many additional ones that are related.
Vymokesha Jagwani
Greenhorn

Joined: May 24, 2010
Posts: 8
ofcourse it is web based application
1) multiple logins?
2) How about two or more windows in a Firefox or Chrome browser?
3) How about people who run both Firefox and Chrome, which are separate applications, on the same computer?
4) What about shared IP connections on separate computers?

where from user login and i can as admin invalidate his/her session.
Pat Farrell
Rancher

Joined: Aug 11, 2007
Posts: 4646
    
    5

I give up. You have still not begun to answer the specific questions. Echoing them is not the same as answering them.
Vymokesha Jagwani
Greenhorn

Joined: May 24, 2010
Posts: 8
i have told that my application behavior is like that all 4 things are there.if you still don't get than i will explain you my scenario.
Sagar Rohankar
Ranch Hand

Joined: Feb 19, 2008
Posts: 2902
    
    1

Vymokesha, what Pat is trying to convey is that how would you take care of different scenarios arises from, say, e.g opening two different browser, in that case, do you want to invalidate the session running on one browser and keeping it alive on second ?

Have you designed the code considering all the possible situations mentioned by Pat.
Vymokesha Jagwani
Greenhorn

Joined: May 24, 2010
Posts: 8
Sagar Rohankar exactly means i am admin and i have right to invalidate a particular user who has login.let supoose i am admin and two other user A and B are login from different machine now i want to kill the session of user B so just click on b and it will be logged off or redirect login page.
David Newton
Author
Rancher

Joined: Sep 29, 2008
Posts: 12617

Pat Farrell
Rancher

Joined: Aug 11, 2007
Posts: 4646
    
    5

Vymokesha Jagwani wrote: i am admin and i have right to invalidate a particular user....

No one is arguing that you don't have the power or right to do what you want. But you are asking in a technical help forum and not asking for technical help, and not answering the questions that are being raised in an attempt to have you detail the real requirements. I expect that you will not find the solutions that you are looking for here. You will need to hire a professional programmer to do the development that you wish.

While I can only guess at your real requirements, I expect that the professional will take a fair amount of time and effort to develop what you want, since you don't seem to be able to discuss any details of your requirements.

Best of luck to you.
Vymokesha Jagwani
Greenhorn

Joined: May 24, 2010
Posts: 8
dear respected Pat Farrell i have solved my problem......so thanks a lot.
 
wood burning stoves
 
subject: How to invalidate user's session forcefully
 
Similar Threads
How much to use session variables?
Session Invalidate
Targetting specific Objects in session
How to invalidate a session in one browser when the same user login from any other browser?
how to invoke a function in javascript on closing the browser window