wood burning stoves*
The moose likes Servlets and the fly likes Restricting multiple logins Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Servlets
Bookmark "Restricting multiple logins" Watch "Restricting multiple logins" New topic
Author

Restricting multiple logins

Satchidananda Mohanty
Ranch Hand

Joined: Mar 12, 2008
Posts: 77

Hi Guys,

I am developing one e commerce web portal. Wanted to restrict the multiple logins of teh same person from various machines there. Could you provide me some idea to do the same.
I am using servlet,jsp,struts with my application.

Thanks in advance,
zeet


Zeet

SCJP 6.0
Praneeth Yeri
Greenhorn

Joined: Oct 07, 2010
Posts: 11
Since you are providing Logins to each user, you would be maintaining a User Id per user also.

Using Servlet Context Object:
1. Whenever a User Logs in successfully , put the User Id and put the object in the the ServletContext Object.
2. For Every login, check if the user is already logged in by checking the Servlet Context Object. If the User Id is already present then dont allow him to login again.
3. If the person logs out (i.e if he clicks on log out), then remove the User Id from the Servlet Context Object.

Please note that this solution works when the production environment has a single JVM ( i.e only 1 production server).

Satchidananda Mohanty
Ranch Hand

Joined: Mar 12, 2008
Posts: 77

Thank you vey much Praneeth

zeet
ayyappan Bas
Ranch Hand

Joined: Oct 11, 2008
Posts: 39
Hi

you have maintain Table for user and password .that table you have to add one more column loginstatus . whenever he/she login change flag yes .when logout change flag no. when the user going to login know that time just check the status .if flag no(N) then allow user otherwise do not allow .





Thanks & Regards
Ayyappan
Satchidananda Mohanty
Ranch Hand

Joined: Mar 12, 2008
Posts: 77

Thank you ayyappan
Shanky Sohar
Ranch Hand

Joined: Mar 17, 2010
Posts: 1051

i think using a context parameter is a good choice..because in any way for table also we have to use


SCJP6.0,My blog Ranchers from Delhi
Ed Ward
Ranch Hand

Joined: Jan 30, 2006
Posts: 147
Praneeth Yeri wrote:
Please note that this solution works when the production environment has a single JVM ( i.e only 1 production server).


Are you saying it won't in a clustered environment? I don't know that it will or not, I'm just asking.
Since clustered environments usually have configs to periodically migrate session data from one node to another, wouldn't they also allow for servlet/application context data to be migrated as well?
Again, I don't know and have not looked it up. The thought just popped out.
Shanky Sohar
Ranch Hand

Joined: Mar 17, 2010
Posts: 1051

Session got transfer from 1 server to another server,when transfered the session on 1st server got passivated and session on 2nd server got activated

ServletContext parameters are copied from 1st server to 2nd server

servletconfig paramerter are again got created after session transferred happens

Shanky Sohar
Ranch Hand

Joined: Mar 17, 2010
Posts: 1051

Praneeth Yeri wrote:Since you are providing Logins to each user, you would be maintaining a User Id per user also.

Using Servlet Context Object:
1. Whenever a User Logs in successfully , put the User Id and put the object in the the ServletContext Object.
2. For Every login, check if the user is already logged in by checking the Servlet Context Object. If the User Id is already present then dont allow him to login again.
3. If the person logs out (i.e if he clicks on log out), then remove the User Id from the Servlet Context Object.

Please note that this solution works when the production environment has a single JVM ( i.e only 1 production server).


So this should work for cluster environment too
Raphael S Rodrigues
Greenhorn

Joined: Dec 20, 2010
Posts: 6
The solution above seems to be work, but some cases the logged user does not click on logout button! So, the session in this case will be expired, and if the user will try logon again will receive error. How can I handle this case?


raphaufrj@gmail.com
twitter.com/raphaufrj
OCP Java SE 6 Programmer, OCE Java EE 6 JSPSD, OCE Java EE 6 EJBD, OCE Java EE 6 JPAD, OCE Java EE 6 WebServices.
Satchidananda Mohanty
Ranch Hand

Joined: Mar 12, 2008
Posts: 77

Hi Raphael ,

One thing you could implement there. Please add a java class implementing httpsession listner and overwrite the methods there.
In the session destroyed method change your login status . so when page automatically expires that code ll execute to reset your login status.


Have a look on the following codes for your reference.



good luck,
zeet

ramprasad madathil
Ranch Hand

Joined: Jan 24, 2005
Posts: 489

The solution above seems to be work, but some cases the logged user does not click on logout button! So, the session in this case will be expired, and if the user will try logon again will receive error. How can I handle this case?


The session would eventually expire on the server after the maximum inactive interval configured. Write a SessionListener and in the sessionDestroyed() method, remove the entry from wherever you are storing the list of active users.

The user cannot of course log-in in the interval between when he closed the browser and the session expires on the server and you cannot do anything about it.

It will also not work in a cluster though there are posts in this thread indicating it will.

cheers,
Ram.
Raphael S Rodrigues
Greenhorn

Joined: Dec 20, 2010
Posts: 6
My webapp is running in a clustering environment. Because of this, I think that I should use a hybrid solution using sessions and database management.

I think there'll be easiest, If I change a little bit the problem:

1. User logged very well
2. The same user tried to do login
2.1. If the user already exists (find in database, check the jsessionid or ip, i don't know yet), then before session is invalidated (Session.invalidate())
2.2. If not, come back to step 1

The question is: How can I get the first one session instance? If I'm running in a clustering environment. I know that the session is activated and passivated... I think it's hard to handle.
ramprasad madathil
Ranch Hand

Joined: Jan 24, 2005
Posts: 489

In a clustered environment, the issues arises when you try to store application wide data such as an active user list in an object on the jvm. Whenever the list is modified, you will have to find a way to propagate changes to the other servers on the cluster to keep the list 'in sync'.

If you are storing the list of active users in a db, that would solve the problem above.

Then the only issue that remains would be what I had posted earlier -
The user cannot of course log-in in the interval between when he closed the browser and the session expires on the server and you cannot do anything about it.

ram.
Raphael S Rodrigues
Greenhorn

Joined: Dec 20, 2010
Posts: 6
Exactly!

The questions is : How can I manage session objects in cluster environment? Any ideas?

I would like logout the session...
Raphael S Rodrigues
Greenhorn

Joined: Dec 20, 2010
Posts: 6
I found this solution in stackoverflow: http://stackoverflow.com/questions/3515209

Basically, I have a ServletFilter where I can keep my active sessions in a map static variable, where the key is my user and the value is my HttpSession. The problem is, this variable map static, where's the web container save it? There's one per cluster. If yes, It does not solved the problem in a cluster environment, do it?
Raphael S Rodrigues
Greenhorn

Joined: Dec 20, 2010
Posts: 6
The answer of last question mine is : Caching. I have to use some solution of cache, for exemplo: EhCache, Jboss Cache, because those solutions are available for multi cluster environment. So, I can save my logged users HashMap in a cache.

Thanks for all,
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Restricting multiple logins
 
Similar Threads
Prevent multiple concurrent logins from same user in clustered env
session isnew()
Is LoginModule threadsafe?
sendRedirect (), forword ()
mobwarrior - written with J2EE :)