Win a copy of Clojure in Action this week in the Clojure forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Preventing Multiple Login with same login credentials

 
Manish Sahni
Ranch Hand
Posts: 41
Java Netscape Safari
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I am developing a web application that needs to prevent multiple login using the same user name and password concurrently.

If it happens on the same machine then we need to do something with the user session, but it should also prevent if they are login on different machines using the same user name and password.

What can be the best approach :-

1) should i store the user session,credentials,and IPAddress of the machine in the DB.

2) should we use the session tracking mechanism in the application itself.If so what is the best approach?


Also , We have to keep following things in mind:

1) If user close the browser without logout.

2) If session times out.


Hope it clears the question.
 
Ivan Jozsef Balazs
Rancher
Posts: 972
5
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
A DB is a good place to maintain this information, and I suggest to use it on the top of the session mechanism provided by the container.



 
Pravin Shirke
Ranch Hand
Posts: 150
Chrome Eclipse IDE Java
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Manish,

I suggest you keep a flag in your user maintenance table, with default value as 'N'. (i.e. not logged in) and once you login successfully into the application update the flag as logged in (some flagging value like 'Y') and every time you try to login to the application for a particular user just check that the value of the flag is 'N' if it is 'Y' redirect to login page and failed the login process with appropriate message for the user. This will work irrespective of machine the user has logged i.e. it will ensure that only once session exists for a user.

Now in order to handle the other scenarios of handling if the user close the browser without logout and if session times out; Then in this case you need to implement a SessionListener and that should be called when the user closes the browser window upon which it will update the flag to 'N'.

Hope this helps...
 
Ulf Dittmer
Rancher
Pie
Posts: 42966
73
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Any approach that relies on the web app getting notified somehow if the browser (or browser window) gets closed is likely to be unreliable. In that case the user will have to wait until the session expires.
 
Sourabh Bawage
Ranch Hand
Posts: 33
Eclipse IDE Java Tomcat Server
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Pravin Shirke wrote:Hi Manish,

I suggest you keep a flag in your user maintenance table, with default value as 'N'. (i.e. not logged in) and once you login successfully into the application update the flag as logged in (some flagging value like 'Y') and every time you try to login to the application for a particular user just check that the value of the flag is 'N' if it is 'Y' redirect to login page and failed the login process with appropriate message for the user. This will work irrespective of machine the user has logged i.e. it will ensure that only once session exists for a user.

Hope this helps...


Hi... i would really like to know how the flag can be set to 'N'...if the user closes the browser and does not log out properly???
 
Amreen Bhatti
Greenhorn
Posts: 5
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Set the session ID in the SOAP header so that the API can validate subsequent requests for this session.
Specify the server URL as the target for subsequent service requests. You must change to the server URL, the login server only supports login calls
 
Sourabh Bawage
Ranch Hand
Posts: 33
Eclipse IDE Java Tomcat Server
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Amreen Bhatti wrote:Set the session ID in the SOAP header so that the API can validate subsequent requests for this session.
Specify the server URL as the target for subsequent service requests. You must change to the server URL, the login server only supports login calls


an example would be great...
 
Amreen Bhatti
Greenhorn
Posts: 5
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Check here http://www.nullskull.com/articles/20030418.asp hope it helps you.
 
Ulf Dittmer
Rancher
Pie
Posts: 42966
73
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Amreen Bhatti wrote:Set the session ID in the SOAP header

What does SOAP have to do with this problem?
 
Amreen Bhatti
Greenhorn
Posts: 5
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Is this a typo, 'sessionid', not 'sessionId' ? session*I*d.

According to the above example, I think this should work.

def on_simple_outbound
if @sessionid
{ XSD::QName.new("urn:enterprise.soap.sforce.com",
"sessionId") => @sessionid }
end
end

But the only WSDL I know is partner.wsdl, which does not define
'urn:enterprise.soap.sforce.com'. I can be wrong...

Regards,
// NaHi
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (Cygwin)

iD8DBQFCf4+Bf6b33ts2dPkRAnWFAJwPNbKTyRy1meT7VgjZvYDI59CbiwCglNAY
YYplD+kQEQ+flRlfO7UldXM=
=V//d
-----END PGP SIGNATURE-----
 
Pravin Shirke
Ranch Hand
Posts: 150
Chrome Eclipse IDE Java
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Sourabh,

For implementation of resetting the flag to 'N' once the user closes the browser window, you need to invoke javascript function like:
Assuming, you have set the session id in context, then the listener would do the rest as its SessionDestroyed() method would be called; wherein you need to invoke DB call for the particular user to reset the flag to 'N'.
 
Sourabh Bawage
Ranch Hand
Posts: 33
Eclipse IDE Java Tomcat Server
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Pravin Shirke wrote:Hi Sourabh,

For implementation of resetting the flag to 'N' once the user closes the browser window, you need to invoke javascript function like:
Assuming, you have set the session id in context, then the listener would do the rest as its SessionDestroyed() method would be called; wherein you need to invoke DB call for the particular user to reset the flag to 'N'.


ya but the process would fail if the scripts are turned off.....
 
Pravin Shirke
Ranch Hand
Posts: 150
Chrome Eclipse IDE Java
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
ya but the process would fail if the scripts are turned off.....

Yes agreed. but i don't think there would be any practical scenario wherein scripts are disabled in this dynamic and user interaction driven applications world...
 
I agree. Here's the link: http://aspose.com/file-tools
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic