I want to develop Web application which allows only one instance of session per user.
A user who has already logged in (active session) and try to open a new session will be given a warning message. He will have the option to end his previous session before opening a new session. In any case a user should not be allowed to open two parallel sessions (either from the same or different machines)
Any Help Appriciated...
Let me get your problem right:
Say user 'xyz' has logged into your system, you do not want him to log in as 'xyz' again, either from the same or from another machine.
Way to handle it:
1. Keep a log (either cached in memory or in the database) of all the users currently logged in and the timestamp of the last time a request was made.
2. When a user tries to log in, ensure that that user does not already appear in the list of logged in users. If he does, do not allow him to log in again. If he does not appear, let him log in and make an entry in this cache.
3. How to remove the user from the cache.
- When he explicitly logs out
- If he has not explicitly logged out, then allow him to log in when
(Time that user tries to log in - Time of the last request made from him) > session timeout
Thanks for ur suggession, I actually want to make sure that He can not even create 2 sessions from same computer as well. e.g. If he tries to open 2 browser windows using Ctrl+N in case of IE. I want the application to ask user to close either of the session.
If the user says Ctrl + N from his browser, he is not creating 2 sessions, the same session is available in the 2nd browser instance also.
Eg. User has logged into the system.
User does Ctrl + N and open Browser window 2
User logs out in *Browser 2*
If User clicks any link in *Browser 1* he is logged
out, as the session has expired.
Let me see if I can convince Client....
Best of luck :)
There is no clean way. You can use the timeout solution, but you will always have the problem were a user will exit the session without a logout and then try and return before the timeout has expired.
There is a reason why you do not want multiple sessions. It has always been my experience to block at the true reason and assume the users will try the multiple session. This way you are not going to get the non Malicious user ticked-off because they can't logon.
Can't you check the sessionid against the user and maintain a log and whenever there is a new sessionid/user, check against the log and see if it is present. If it present, throw warning....
Can any body send me the source code for this in java.