wood burning stoves 2.0*
The moose likes JSP and the fly likes Checking if user is logged in inside a different browser. Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Murach's Java Servlets and JSP this week in the Servlets forum!
JavaRanch » Java Forums » Java » JSP
Bookmark "Checking if user is logged in inside a different browser." Watch "Checking if user is logged in inside a different browser." New topic
Author

Checking if user is logged in inside a different browser.

Alexey Timokhin
Greenhorn

Joined: Mar 23, 2012
Posts: 25
Fellow lurkers, I encountered a problem I don't know how to tackle, so I ask for some advice :)

I have a JSP project which works well and has a simple login page. While I was testing, a thought struck me, "What if the user logs in from two browsers at once?". So I tried it out, and I was logged in at two places at once with the same user name. That's somewhat of a security issue and a performance issue on my part, so I am in a mindset to fix it. The question is, though, how?

I'm not sure what would be the best way, and I think I narrowed it down to these options:
1. On log in, check if such a username is already logged in, and if yes, do not let him log in with a warning.
2. On log in, check if such a username is already logged in, and if yes, log them in, and log the other one out.

Opinions on which method is more user friendly is appreciated.

Now the development. What should be the approach to this? I know I read somewhere that all the session values are stored, which means you can recall the value, but I can't find the source anymore.

All ideas and suggestions are welcome :)

Koen Aerts
Ranch Hand

Joined: Feb 07, 2012
Posts: 344

Maybe a HttpSessionBindingListener would be a good starting point. The Getting all sessions thread may be somewhat related to your issue.
Prasad Krishnegowda
Ranch Hand

Joined: Apr 25, 2010
Posts: 507

It depends on what's the main purpose of the application..
For ex. If its a online shopping web application, I would go for option1, i.e. give user a warning and prevent login, this is because, say user has already logged in and have selected few items and added to cart,assuming you store them in session, and if user logs in with different browser, then these data is gone.

Now, coming to the implementation..Currently, how the login is been done in the application? Is it using any frameworks, like Spring Security, if yes, then they have the methods to prevent the user logging in..

However, in general this problem, can be solved as below.
1. when user logs in, update a table column in database as yes and before allowing login, check this column, if its yes, deny them login with suitable error message.
2. on log out of user, update the same column as no.
3. You have to use HTTPSessionListener and check for session timeout and even in this case also, update the column as no. This is needed because, sometimes, users may just close the browser without logging out.


Regards, Prasad
SCJP 5 (93%)
Alexey Timokhin
Greenhorn

Joined: Mar 23, 2012
Posts: 25
On login, I create a session value of "username" and when the person logs out, the value is deleted. I am using a servet to store it with session.setAttribute("username", [valueFromTextBox]).

I'm not using Spring, I am only using JSP and servlets.

Thanks for the idea, but the database suggestion seems a bit bothersome and redundant, even though it is value. A whole column just for that seems a bit extreme ;) I will keep the idea in mind as a last resort as it can solve my issue.

I was looking for something to iterate through all "username"s and compare if there is a match.
Paul Clapham
Bartender

Joined: Oct 14, 2005
Posts: 18541
    
    8

Alexey Timokhin wrote:I was looking for something to iterate through all "username"s and compare if there is a match.


A HashSet would be a simple way to do that. You'd need to put it into application scope so it was accessible to whichever servlets or filters needed to do that search.
Pat Farrell
Rancher

Joined: Aug 11, 2007
Posts: 4646
    
    5

You should expand and refine your "checking" criteria. Can a user open two tabs in one browser and login twice? Can they use separate browsers on the same machine to login twice? Can they use separate virtual machines on the same physical machine? Can they use two computers on the same LAN? Can they use a desktop computer and a smartphone?

However you define it, you need to decide how serious you want to be about the possibilities. Most solutions to this, such as using a HashSet, are open to assorted race conditions.

Preventing it from ever happening is actually a lot of work. Perhaps a better solution is to change your requirements so you can be happy if there are two sessions at once.
Alexey Timokhin
Greenhorn

Joined: Mar 23, 2012
Posts: 25
Well, my goal was to make sure that only one instance is present per person at any time. So if you try to log in from different windows, tabs, browsers, devices/machines, it would come into effect.

Pat Farrell
Rancher

Joined: Aug 11, 2007
Posts: 4646
    
    5

With that as your goal/design criteria, its easy. Just have a field in the DBMS that says "user is logged in now"

You have some work to do, as people don't tend to log off, and you need to clear it when the session timeout is triggered.

The JSP and JSession can help, but you need a more complete solution.
 
It is sorta covered in the JavaRanch Style Guide.
 
subject: Checking if user is logged in inside a different browser.
 
Similar Threads
Design question about voice chat program.
Jdbc, j_security, and other issues
HttpSession and not allowing multiple users to log in from same browser
How to identify host uniquely when a firewall is enabled?
Session Handling- How restrict to only one admin login