Venkat wrote:
>
> Hi All
>
> This has reference to an previous discussion on 'disallowing concurrent
> login' and Mr.Hans Bergsten came out with a suggestion of implementing
> HttpSessionBindingListener interface, add every new user to a vector, check
> the existence when a new user logs in ...
>
> I have implemented a solution similar to that, create a table to store
> details such as sessionId, User Ip, User's unique login id, session created
> time etc., check the table for login id, if not found, create a new session,
> add the loginid to that table and deny new session if the login id is found
> in the table. so, if the same user or anybody with the same loginid tries
> to sign again is redirected to another page which shows the details such the
> session details from the table
>
> This method works as long the user signs out using another jsp page which
> removes all cookies and invalidates the session, but the probelm is that if
> the user closes the browser window without signing out, those details are
> never removed from the table and he will not be able to login at all unless
> someone removes his details from the table
The approach you refer to, that I suggested in some other thread on another
list,
was intended to handle the case where it's important to make sure the user is
only logged in from *one* browser/PC at a time. In most cases, this is not
really an issue, and you can get away with a much simpler approach: just keep
the user info as a bean in the session, without the need for a central, servlet
context table. See below for how this approach solves your problem.
> Here, I am looking for a mechanism
>
> 1. which allows the tomcat container to remove all expired sessions from
> using sessions Ids,
Sessions expire automatically after a period of inactivity. You can set
the time-out period globally in web.xml or per session with
session.setMaxInactiveInterval().
> 2. Inform the first logged in user, log him out, invalidate that session
> and create new session for the newly signed in user
If a new user just starts using the same browser as the previous user,
there's no way for you to know that it's a new user. So for this to work
at all, the first user must either log out explicitly (and then you can
invalidate the session) or close the browser (the session will time out).
Given this, a new session will always be created automatically for a
new user, so you just have to save the user data in the session.
> 3. A method which can invalidate a session by its session Id (such as
> session.invalidate(sessionId), becuse HttpSession.invalidate() method
> does not take any arguement and invalidate current session)
This is not possible with the Servlet 2.2 API (it was possible with 2.1
but was removed due to security concerns). And given your requirements,
as I understand they, I don't see why you would need it.
> I am contemplating this to work similar to Yahoo Messanger (invalidates old
> session and creates new)
>
> I seek your valuable suggestions
I hope this helped.
Hans
--
Hans Bergsten [EMAIL PROTECTED]
Gefion Software http://www.gefionsoftware.com
Author of JavaServer Pages (O'Reilly), http://TheJSPBook.com
===========================================================================
To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST".
For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST DIGEST".
Some relevant FAQs on JSP/Servlets can be found at:
http://java.sun.com/products/jsp/faq.html
http://www.esperanto.org.nz/jsp/jspfaq.html
http://www.jguru.com/jguru/faq/faqpage.jsp?name=JSP
http://www.jguru.com/jguru/faq/faqpage.jsp?name=Servlets
