Win a copy of Mesos in Action this week in the Cloud/Virtualizaton forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

logging users out of the system

 
Mark Lybarger
Ranch Hand
Posts: 72
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
hopefully this qualifies as a "pattern". we have a requirement that a user can only log in from one browser session at a time to our web app (weblogic j2ee/web and ejb using turbine framework). we also have a requirement that when the user closes their browser, they should be automatically logged out.

what is a good way to handle this? is there a typical "pattern" for performing this type of task?

our initial instinct is to have a isloggedin column on the user table, and use that to prohibit multiple logins from multiple sessions (different work stations or different browser sessions). we can easily use some javascript to send some info to the server to run an action which will log the user out when closing their browser. the problem is when their HTTP session times out, we also should log them out, other wise, the isloggedin flag won't get reset. to resolve this issue, the thought arose to use a statefull session bean and have every requst to the web from the user (page get/post) basically ping the session bean to keep it alive. this shouldn't add too much over head to the application, but i wanted to get others thoughts on this, please.
 
Warren Dew
blacksmith
Ranch Hand
Posts: 1332
2
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The session bean update would be in addition to the database field, since you'd still have to coordinate across potential new sessions, right? That sounds reasonable to me. Just make sure the app clears the database flags on startup, in case of a crash.
 
Mark Lybarger
Ranch Hand
Posts: 72
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
thanks, we're using the turbine framwork which seems to provide hooks to tie into the server startup to clear out any stale logged in users.

i was just wondering if others have had a similar requirement and how you implemented something for this (user can only log in from one station at a time).
 
Stan James
(instanceof Sidekick)
Ranch Hand
Posts: 8791
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
It's always a challenge! The user can knock the plug out with his foot and the server gets no notice that he's gone. Any place you keep persistent information about who is logged on can go stale and prevent someone from logging on again.

I used to use IBM's mainframe VM/CMS time-sharing system and it had an option to "logon HERE" that would blow off any other existing session for the userid. Before that came along it was possible to get bad session data so the mainframe would lock you out until somebody manually reset your id. I loved this feature when moving around the building, logging on in different places.

You could have a keep-alive message from the client to the server every minute or so. If the server fails to get a couple of them it could assume the client is gone and remove the session. Or do it the other way - have the server ping the client now and then to see if it's still there. A browser client with an applet for "push" messaging could respond to this, too.

Any of that sound interesting?
[ May 17, 2004: Message edited by: Stan James ]
 
Stan James
(instanceof Sidekick)
Ranch Hand
Posts: 8791
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hey, Mark, come back and tell us what you finally did!
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic