Fellow lurkers, I encountered a problem I don't know how to tackle, so I ask for some advice :)
I have a JSP project which works well and has a simple login page. While I was testing, a thought struck me, "What if the user logs in from two browsers at once?". So I tried it out, and I was logged in at two places at once with the same user name. That's somewhat of a security issue and a performance issue on my part, so I am in a mindset to fix it. The question is, though, how?
I'm not sure what would be the best way, and I think I narrowed it down to these options:
1. On log in, check if such a username is already logged in, and if yes, do not let him log in with a warning.
2. On log in, check if such a username is already logged in, and if yes, log them in, and log the other one out.
Opinions on which method is more user friendly is appreciated.
Now the development. What should be the approach to this? I know I read somewhere that all the session values are stored, which means you can recall the value, but I can't find the source anymore.
It depends on what's the main purpose of the application..
For ex. If its a online shopping web application, I would go for option1, i.e. give user a warning and prevent login, this is because, say user has already logged in and have selected few items and added to cart,assuming you store them in session, and if user logs in with different browser, then these data is gone.
Now, coming to the implementation..Currently, how the login is been done in the application? Is it using any frameworks, like Spring Security, if yes, then they have the methods to prevent the user logging in..
However, in general this problem, can be solved as below.
1. when user logs in, update a table column in database as yes and before allowing login, check this column, if its yes, deny them login with suitable error message.
2. on log out of user, update the same column as no.
3. You have to use HTTPSessionListener and check for session timeout and even in this case also, update the column as no. This is needed because, sometimes, users may just close the browser without logging out.
Joined: Mar 23, 2012
On login, I create a session value of "username" and when the person logs out, the value is deleted. I am using a servet to store it with session.setAttribute("username", [valueFromTextBox]).
I'm not using Spring, I am only using JSP and servlets.
Thanks for the idea, but the database suggestion seems a bit bothersome and redundant, even though it is value. A whole column just for that seems a bit extreme ;) I will keep the idea in mind as a last resort as it can solve my issue.
I was looking for something to iterate through all "username"s and compare if there is a match.
You should expand and refine your "checking" criteria. Can a user open two tabs in one browser and login twice? Can they use separate browsers on the same machine to login twice? Can they use separate virtual machines on the same physical machine? Can they use two computers on the same LAN? Can they use a desktop computer and a smartphone?
However you define it, you need to decide how serious you want to be about the possibilities. Most solutions to this, such as using a HashSet, are open to assorted race conditions.
Preventing it from ever happening is actually a lot of work. Perhaps a better solution is to change your requirements so you can be happy if there are two sessions at once.
Joined: Mar 23, 2012
Well, my goal was to make sure that only one instance is present per person at any time. So if you try to log in from different windows, tabs, browsers, devices/machines, it would come into effect.