aspose file tools*
The moose likes Servlets and the fly likes Preventing Multiple Login with same login credentials Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Spring in Action this week in the Spring forum!
JavaRanch » Java Forums » Java » Servlets
Bookmark "Preventing Multiple Login with same login credentials" Watch "Preventing Multiple Login with same login credentials" New topic
Author

Preventing Multiple Login with same login credentials

Manish Sahni
Ranch Hand

Joined: Sep 09, 2009
Posts: 41

I am developing a web application that needs to prevent multiple login using the same user name and password concurrently.

If it happens on the same machine then we need to do something with the user session, but it should also prevent if they are login on different machines using the same user name and password.

What can be the best approach :-

1) should i store the user session,credentials,and IPAddress of the machine in the DB.

2) should we use the session tracking mechanism in the application itself.If so what is the best approach?


Also , We have to keep following things in mind:

1) If user close the browser without logout.

2) If session times out.


Hope it clears the question.
Ivan Jozsef Balazs
Rancher

Joined: May 22, 2012
Posts: 867
    
    5
A DB is a good place to maintain this information, and I suggest to use it on the top of the session mechanism provided by the container.



Pravin Shirke
Ranch Hand

Joined: Apr 05, 2008
Posts: 150

Hi Manish,

I suggest you keep a flag in your user maintenance table, with default value as 'N'. (i.e. not logged in) and once you login successfully into the application update the flag as logged in (some flagging value like 'Y') and every time you try to login to the application for a particular user just check that the value of the flag is 'N' if it is 'Y' redirect to login page and failed the login process with appropriate message for the user. This will work irrespective of machine the user has logged i.e. it will ensure that only once session exists for a user.

Now in order to handle the other scenarios of handling if the user close the browser without logout and if session times out; Then in this case you need to implement a SessionListener and that should be called when the user closes the browser window upon which it will update the flag to 'N'.

Hope this helps...


[Vipassana] - It is seeing the reality as it is, And not as you want it to be.!!!
SCJP1.5.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42281
    
  64
Any approach that relies on the web app getting notified somehow if the browser (or browser window) gets closed is likely to be unreliable. In that case the user will have to wait until the session expires.


Ping & DNS - my free Android networking tools app
Sourabh Bawage
Ranch Hand

Joined: Sep 03, 2013
Posts: 33

Pravin Shirke wrote:Hi Manish,

I suggest you keep a flag in your user maintenance table, with default value as 'N'. (i.e. not logged in) and once you login successfully into the application update the flag as logged in (some flagging value like 'Y') and every time you try to login to the application for a particular user just check that the value of the flag is 'N' if it is 'Y' redirect to login page and failed the login process with appropriate message for the user. This will work irrespective of machine the user has logged i.e. it will ensure that only once session exists for a user.

Hope this helps...


Hi... i would really like to know how the flag can be set to 'N'...if the user closes the browser and does not log out properly???

SCJP
Amreen Bhatti
Greenhorn

Joined: Sep 03, 2013
Posts: 5
Set the session ID in the SOAP header so that the API can validate subsequent requests for this session.
Specify the server URL as the target for subsequent service requests. You must change to the server URL, the login server only supports login calls
Sourabh Bawage
Ranch Hand

Joined: Sep 03, 2013
Posts: 33

Amreen Bhatti wrote:Set the session ID in the SOAP header so that the API can validate subsequent requests for this session.
Specify the server URL as the target for subsequent service requests. You must change to the server URL, the login server only supports login calls


an example would be great...
Amreen Bhatti
Greenhorn

Joined: Sep 03, 2013
Posts: 5
Check here http://www.nullskull.com/articles/20030418.asp hope it helps you.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42281
    
  64
Amreen Bhatti wrote:Set the session ID in the SOAP header

What does SOAP have to do with this problem?
Amreen Bhatti
Greenhorn

Joined: Sep 03, 2013
Posts: 5
Is this a typo, 'sessionid', not 'sessionId' ? session*I*d.

According to the above example, I think this should work.

def on_simple_outbound
if @sessionid
{ XSD::QName.new("urn:enterprise.soap.sforce.com",
"sessionId") => @sessionid }
end
end

But the only WSDL I know is partner.wsdl, which does not define
'urn:enterprise.soap.sforce.com'. I can be wrong...

Regards,
// NaHi
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (Cygwin)

iD8DBQFCf4+Bf6b33ts2dPkRAnWFAJwPNbKTyRy1meT7VgjZvYDI59CbiwCglNAY
YYplD+kQEQ+flRlfO7UldXM=
=V//d
-----END PGP SIGNATURE-----
Pravin Shirke
Ranch Hand

Joined: Apr 05, 2008
Posts: 150

Hi Sourabh,

For implementation of resetting the flag to 'N' once the user closes the browser window, you need to invoke javascript function like:
Assuming, you have set the session id in context, then the listener would do the rest as its SessionDestroyed() method would be called; wherein you need to invoke DB call for the particular user to reset the flag to 'N'.
Sourabh Bawage
Ranch Hand

Joined: Sep 03, 2013
Posts: 33

Pravin Shirke wrote:Hi Sourabh,

For implementation of resetting the flag to 'N' once the user closes the browser window, you need to invoke javascript function like:
Assuming, you have set the session id in context, then the listener would do the rest as its SessionDestroyed() method would be called; wherein you need to invoke DB call for the particular user to reset the flag to 'N'.


ya but the process would fail if the scripts are turned off.....
Pravin Shirke
Ranch Hand

Joined: Apr 05, 2008
Posts: 150

ya but the process would fail if the scripts are turned off.....

Yes agreed. but i don't think there would be any practical scenario wherein scripts are disabled in this dynamic and user interaction driven applications world...
 
 
subject: Preventing Multiple Login with same login credentials