How about keep a list of user-defined small objects that implements
HttpSessionBindingListener and holds user login info and session info in
application-scope? Whenever a user tries to log in, you check the list first
and enforce whatever policy you like. If a user logs in successfully, create
a new obj and add to the list. When a session is expired remove its obj from
the list. Hope it can help.
YFG
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
Sent: Monday, January 22, 2001 3:09 PM
To: JRun-Talk
Subject: RE: Preventing Concurrent Login
U should not use ServletContext methods to access the sessions, since there
are serious security problems with it.
Instead a possible solution is here:
1- Have a Hashtable with application context. In this table u will store
users, mapped to sessions.
2- When u logs in
2.1 Check if there is an entry for the user that you are logging
in.
if so 3
else 4.
3- Check if the session is still active and is not timed-out
if so
3.1 Create a new session
3.2 Get the data from the oldsession to the new session if
appropriate
3.3 Invalidate the old one
3.4 Store in the table the new session with userid as a key
else
3.1 Create a new session
3.3 Invalidate the old one
3.4 Store in the table the new session with userid as a key
4- 3.1 Create a new session
3.4 Store in the table the new session with userid as a key
5- When you log-out
5.1 Invalidate the session
5.2 Remove the session from the table
6- If you close the browser without loging out and later log in
go to 2.
else
go to 4
This is a very basic solution, but you can have many variation based on this
one, using other information like IP addresses, etc.
Hope this helps.
Sokol.
> -----Original Message-----
> From: [EMAIL PROTECTED] [SMTP:[EMAIL PROTECTED]]
> Sent: Sunday, January 21, 2001 7:01 PM
> To: JRun-Talk
> Subject: RE: Preventing Concurrent Login
>
>
>
> Hi Joe,
>
> This would have been possible only if the HttpSessionContext works fine.
> But that one is depreciated and Jrun never allow you to access and Session
> Context.
>
> Just based on time out interval is also not an advisable solution becayse
> this
> may clear of some users
> still working. So now I am planning to do in this way. Whenever a user is
> active he will be keep on updating the
> time in a table. Also a back end process will be running in particular
> intervals
> will clear of the blocking if the
> Last Updated time+Timeout interval exceeds present time.
>
> Kindly let me know if come across any better solution.
>
> Thanks & Regards
> Savant
>
>
>
>
>
> Joe Niski <[EMAIL PROTECTED]> on 01/20/2001 07:42:15 AM
>
> Please respond to [EMAIL PROTECTED]
>
> To: JRun-Talk <[EMAIL PROTECTED]>
> cc: (bcc: Savantraj Chennamakal Subramanian/PM4/ISSAP/SES/SONYASIA)
> Subject: RE: Preventing Concurrent Login
>
>
>
> if you used an application-scoped bean to contain a table of userid's
> matched to session id's, then when a user tries to log in you could test
> if
> the pair of id's matches your list of currently logged-in users.
>
> i'm just thinking out loud - the session-timeout value would be a factor
> in
> designing this. there are probably better ways to do it.
>
> Joe
>
> > -----Original Message-----
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> > Sent: Thursday, January 18, 2001 5:03 PM
> > To: JRun-Talk
> > Subject: RE: Preventing Concurrent Login
> >
> >
> >
> >
> > Hi Joe,
> > Keeping application-scoped list of loges in users/setting
> > some flag in db will
> > work
> > if user logged out properly. The problem is when user just
> > close the browser ,
> > there is no way to
> > reset the Application scoped variable/Flag in db. This will
> > cause preventing
> > that user logging in
> > next time.
> > It would be nice if we can remove the logged in user
> > whenever that session ends
> > from the list.
> > Kindly share your views abiut it..
> >
> > Thanks & Regards
> >
> >
> >
> >
> > Joe Niski <[EMAIL PROTECTED]> on 01/19/2001 02:47:24 AM
> >
> > Please respond to [EMAIL PROTECTED]
> >
> > To: JRun-Talk <[EMAIL PROTECTED]>
> > cc: (bcc: Savantraj Chennamakal Subramanian/PM4/ISSAP/SES/SONYASIA)
> > Subject: RE: Preventing Concurrent Login
> >
> >
> >
> > How about keeping an application-scoped list of logged-in users?
> >
> > > -----Original Message-----
> > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> > > Sent: Wednesday, January 17, 2001 11:05 PM
> > > To: JRun-Talk
> > > Subject: Preventing Concurrent Login
> > >
> > >
> > >
> > >
> > > Hi,
> > > I am having a JSP application running on JRun3.0. Could any
> > > one suggest me some
> > > method
> > > to prevent the user from loging in more than one time concurrently?
> > >
> > > I thought of doing it by ServletContext. Since it's
> > > depreciated by Sun (also not
> > > working in JRun 3.0) I would rather prefer
> > > some other way.
> > >
> > > Thanks & Regards
> > >
> > >
> > >
> > >
> > >
> >
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
