*
The moose likes OO, Patterns, UML and Refactoring and the fly likes logging users out of the system Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Engineering » OO, Patterns, UML and Refactoring
Bookmark "logging users out of the system" Watch "logging users out of the system" New topic
Author

logging users out of the system

Mark Lybarger
Ranch Hand

Joined: Dec 19, 2003
Posts: 72
hopefully this qualifies as a "pattern". we have a requirement that a user can only log in from one browser session at a time to our web app (weblogic j2ee/web and ejb using turbine framework). we also have a requirement that when the user closes their browser, they should be automatically logged out.

what is a good way to handle this? is there a typical "pattern" for performing this type of task?

our initial instinct is to have a isloggedin column on the user table, and use that to prohibit multiple logins from multiple sessions (different work stations or different browser sessions). we can easily use some javascript to send some info to the server to run an action which will log the user out when closing their browser. the problem is when their HTTP session times out, we also should log them out, other wise, the isloggedin flag won't get reset. to resolve this issue, the thought arose to use a statefull session bean and have every requst to the web from the user (page get/post) basically ping the session bean to keep it alive. this shouldn't add too much over head to the application, but i wanted to get others thoughts on this, please.
Warren Dew
blacksmith
Ranch Hand

Joined: Mar 04, 2004
Posts: 1332
    
    2
The session bean update would be in addition to the database field, since you'd still have to coordinate across potential new sessions, right? That sounds reasonable to me. Just make sure the app clears the database flags on startup, in case of a crash.
Mark Lybarger
Ranch Hand

Joined: Dec 19, 2003
Posts: 72
thanks, we're using the turbine framwork which seems to provide hooks to tie into the server startup to clear out any stale logged in users.

i was just wondering if others have had a similar requirement and how you implemented something for this (user can only log in from one station at a time).
Stan James
(instanceof Sidekick)
Ranch Hand

Joined: Jan 29, 2003
Posts: 8791
It's always a challenge! The user can knock the plug out with his foot and the server gets no notice that he's gone. Any place you keep persistent information about who is logged on can go stale and prevent someone from logging on again.

I used to use IBM's mainframe VM/CMS time-sharing system and it had an option to "logon HERE" that would blow off any other existing session for the userid. Before that came along it was possible to get bad session data so the mainframe would lock you out until somebody manually reset your id. I loved this feature when moving around the building, logging on in different places.

You could have a keep-alive message from the client to the server every minute or so. If the server fails to get a couple of them it could assume the client is gone and remove the session. Or do it the other way - have the server ping the client now and then to see if it's still there. A browser client with an applet for "push" messaging could respond to this, too.

Any of that sound interesting?
[ May 17, 2004: Message edited by: Stan James ]

A good question is never answered. It is not a bolt to be tightened into place but a seed to be planted and to bear more seed toward the hope of greening the landscape of the idea. John Ciardi
Stan James
(instanceof Sidekick)
Ranch Hand

Joined: Jan 29, 2003
Posts: 8791
Hey, Mark, come back and tell us what you finally did!
 
Don't get me started about those stupid light bulbs.
 
subject: logging users out of the system
 
Similar Threads
Chapter 6(Session Management) notes (HFSJ) for revision
Session ID
invalidate a session by using session id
How to get session object by giving Session Id to kill another session in Websphere
Session need to be destroyed when browser closes