How to prohibit concurrent user logins?

Printable View

Jan 12th, 2005, 05:58 PM
mmilliss

How to prohibit concurrent user logins?

I'm trying to implement a login system that only allows a user to have a single session running at any one time. What I mean by this is:

1. user X logs in successfully into session 1

2. From another machine or browser the same user X logs in successfully into a separate session 2. This should cause session 1 to become invalidated/logged out.

Is it possible to do this in Acegi? Any assistance would be appreciated.

Cheers
Matt
Jan 12th, 2005, 06:19 PM
Rexxe

One way to do it, not through Ageci, is to create a map with a key of username and a value of session id. Then when someone logs in, you check the map to see if the username is already logged in and if they are invalidate the old session. Of course, you will have to manually manage this map, which means removing the entry if they log out or their session times out, but you can use a SessionListener for the whole thing.

--Rexxe
Jan 12th, 2005, 10:56 PM
mmilliss

Thanks Rexxe,

I've had a look at the SessionListener and I think I need to also use the an ApplicationListener to capture logon events. I think I need both because the SessionListener captures sessionCreate events (which happen before logon and therefore are not interesting to me) and sessionDestroy events (which I need to check and remove the user from my map). The applicationListener captures the logon event which I can then check to see if the user is already logged on and if so invalidate their first session.

My problem now is how to I invalidate a session given the session id.

Cheers
Matt
Jan 12th, 2005, 11:15 PM
Rexxe

Here's a thread I found: http://forum.springframework.org/showthread.php?t=10773
Jan 13th, 2005, 04:36 PM
mmilliss

Thanks Rexxe, I've managed to get the functionality working but I have a couple of issues I need to iron out.

Firstly I had to store the username/HTTPSession in the map rather than the username/sessionId as I couldn't figure out a way to get a handle on the HTTPSession given a session id. This works and I can invalidate the session but I would rather just store the session id.

And secondly, do you know how listeners work in clustered environments. ie I have my web app running on 2 servers in load sharing mode. A user X logs into server A and gets a logged in session. User X then attempts to login via server B, this will cause an event to be published from server B. My question is will server A pick up this event, as I now need my listener on server A to catch this event and invalidate the session of User X on server A.

Cheers
Matt
Jan 14th, 2005, 01:38 PM
Rexxe

I have never used them in clustered environments, but they should work since the session is replicated. You should look at: http://java.sun.com/products/servlet...gListener.html

Also, are you using Tomcat? If you are, the session information can be shared between the two app servers using a database, which is configurable in the Tomcat config files. See http://jakarta.apache.org/tomcat/tom...ter-howto.html

--Rexxe