I don't think you have to do anything that complicated. I had not thought
this all the way through since we don't care if the same user logs on more
than once, the issue for us is to auto log on someone who has a persistent
cookie set. But I think it can work in the opposite direction too.
I wasn't really talking about accessing the session cookie directly but
using the JSP session object to track session logins.
I see four conditions.
1. User is atempting to log in for the first session
2. User is already logged in from the current session
3. User is logged in a session that is defunct but not yet expired
4. User is logged in from one machine already and is trying to log in from a
different machine
Store the current login info for the user in a session object and in a
persistent object on your server (most likely a database). The session
object can be managed by invalidating the session on a deliberate logout or
through a timeout using the javax.servlet.http.HttpSessionBindingListener
interface and the javax.servlet.http.HttpSessionBindingEvent class. The
problem is in the window of time when the session is no longer in use by the
user because he closed the browser window but the session hasn't timed out
yet so the binding event hasn't fired yet.
Condition number 1 is easy, you check your persistent login info on your
server and don't find the user, therefore this is the sole login. This
condition occurs on a deliberate logout and when the session expires.
Condition 2 is also pretty easy. You find that the user is logged in on your
server and you check the session and it
shows that the user is logged in as well. That means an attempt on the same
session. This is probably not an error since it is guaranteed to be the same
login.
To differentiate condition 3 from condition 4, create a persistent cookie on
the users machine during a valid login. If the user is logged in on your
server and you check the session and it doesn't show a log on, check to see
if the user has a persistent login cookie. If there is a cookie then this is
a login from the same machine and browser and it is very likely that the old
session is defunct but not yet expired. Simply invalidate that old session
and allow the user to re-login. If there is no cookie then it is likely that
this user is attempting to login from a new machine. Disallow that condition
with an error explaining that multiple logins aren't allowed.
Interesting problem.
-----Original Message-----
From: M. Simms [mailto:[EMAIL PROTECTED]]
Sent: Friday, August 18, 2000 4:36 PM
To: [EMAIL PROTECTED]
Subject: FW: Tracking Sessions!
Very clever....
so the implementation is :
for a new visit, to generate both types of cookies with a timestamp stored
for the cookie data in each.
Then, if the timestamps are within a certain tolerance, you know the browser
was NOT closed during the visit.
Otherwise, the user closed the browser.
Is this right ?
even though a new instance of the browser may have been started ?
-----Original Message-----
From: A mailing list about Java Server Pages specification and reference
[mailto:[EMAIL PROTECTED]] On Behalf Of Jim Bailey
Sent: Friday, August 18, 2000 10:34 AM
To: [EMAIL PROTECTED]
Subject: Re: Tracking Sessions!
You can also use a cookie to track sessions. If you use a persistent cookie
in combination with a session cookie you can track whether the login is on
the same session or a new session (i.e. whether or not the user closed the
browser).
-----Original Message-----
From: Veronique Dupierris [mailto:[EMAIL PROTECTED]]
Sent: Friday, August 18, 2000 10:00 AM
To: [EMAIL PROTECTED]
Subject: Re: Tracking Sessions!
I'm afraid the only way ti track this, is onky when the session expires !
using the
HttpBinding events, you could know when a sessionn expires (if user logout
and if
you do a session.invalidate or if the session expires on time out) But you
can't
know if the user close the browser or uit your site to visit a another one
since,
maybe, you use an applet on your pages and uses the applet "close" pr
"destroy"
method ..
Regards
Veronique.
MALINI KRISHNAMURTHY a �crit :
> Hi all.
>
> I have a very peculiar problem....I need to allow any user to login
only
> once...
> If the user does a proper logout, then I will be able to track the
> session and allow the user to login again...
> B ut, what if he/she closes the browser?How do I track that???
===========================================================================
To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST".
Some relevant FAQs on JSP/Servlets can be found at:
http://java.sun.com/products/jsp/faq.html
http://www.esperanto.org.nz/jsp/jspfaq.html
http://www.jguru.com/jguru/faq/faqpage.jsp?name=JSP
http://www.jguru.com/jguru/faq/faqpage.jsp?name=Servlets
