I need to restrict users from logging in to the application from multiple locations using the same id
Any help on how do i do this >
My major problem is how do i unlock the user once their session dies ?
my app involes suite of applicaions and we have a single signon server with multiple sessions being maintained between the browser and the multiple applications
we use encrypted cookie for this
I need to unlcok the user when all thesessions have died and maintain status quo if only one session dies
I'm not sure what app server/servlet container you're using, but if it supports Servlet API 2.3 you can always use the HttpSessionListener class and register creation/invalidation of sessions. If you store references to all sessions a user creates you can just check against that repository when the sessions get invalidated, and when they're all history just log out the user.
Restricting users from multiple logins may have unaccebtable side effect.
What if you a user closes his/hers browser without pressing "Log out". Then the application will wait for the entire expiration timeout before closing the session and disabling the user from logging on again for let's say 30 mins period. A workaround could be invalidation of the previous session on a new log in attempt but it might not be appropriate. So sometimes it's better to reconsider whether you realy need this feature.
I perfetly understand your concern that if a user closes the browser window - he will have to wait for the session to expire before he can login again...
I guess we are willing to love with this limitation if it cant be bypassed
(anyways its not for me to decide whether we should have this feature or not)