avoiding duplicate login in web applications

Discussions

Web tier: servlets, JSP, Web frameworks: avoiding duplicate login in web applications

  1. avoiding duplicate login in web applications (6 messages)

      i have to prevent duplicate user login from web browsers. i use a hash map to store userId - HttpSession pair, and check it during each login. my problem is that if a user close a browser without clicking "logout" button, he has to wait till his old session timed out before he can login again. does anybody have experience in solving this problem?
      thanks
  2. When checking your HashMap of logged-in users
    to decide whether to allow a new login,
    why not also check the client's IP using
    ServletRequest.getRemoteAddr()?

    It's not perfect... if a user closes the browser
    and runs over to another computer and tries to log in,
    it will still fail until session timeout. But it will
    solve the case of the user closes the browser and then
    reopens it and tries to log in again.

    I don't have experience with this; just hope the suggestion helps.
  3. marc, it won't work in most of the cases. say, u have a proxy server in ur office, and the ip of all the clients would be identical.
  4. What you can do is the following:

    Set up a Frameset of two frames. In the upper portion, display your htmlpages like before. The lower frame has height=0 and is therefore invisible. Load a servlet inside this frame which will touch all external session-id's, so that all session-id's are valid as long as the frame exists.
    Then, using javascripthandler for the destroy-page event of the lower frame load a servlet, which logs out all sessions automatically.
    This should do the trick.
  5. Ooops, thanks xiaofei, you're right, of course. :)
  6. georg, it works. and i still want to know how u do in ur javascript code. i did it like this " var w = open("logout.jsp"); w.close();". and there is a twinkle on the screen after closing the browser. how did u do that?
    thanks
  7. The basic requiremnet is there should be some OnSessionEnd method that is called when any user ends his session, whether by logout button or by closing hte browser.
    This method is not there in JSP or servlet technology, but it's there with ASP.
    I haven't tried it out but i think that it can still be implemented in servlets os JSP. The Concept lies here :

    Whenever a user ends his session all variables stored in his session are destroyed. If we were able to get a notification from the object that was there in session of any user and destroyed on session end that will solve our problem. That can be done by making a object of Class in which you will override the finalize method to do clean up your Hash for that particular user and put that Object in session variables for each user when he logges in. Then whenever the session is ended by user or server the objects that were there in the session will be destroyed. And when the this object is destroyed it will call it's finalize() method and then your hash will be cleaned.

    May be my language for you guys is tough to understand but if you have understood this concept then everyone here should try this out.


    Farhan