what we did was store session info in a DB table. (appropriately enough
named Session_T (our naming scheme add a T to tables, etc)
We store it with the create time and all that. As you say the hard part is
when they forget to log out. or winblows locks up on them. in that case what
we always do on our login is:
HttpSession ses = request.getSession(true);
ses.invalidate();
then they are only logged in one time.
its a two stage login if they have session info in the DB that has not
"expired" where we ask if they are sure they want to log in.
If this happens more than 3 times in a 30 minute period we email the
administrator. We store the last login time additionally in a user
intersection table (that contains user info but not the password, we use the
a directory server for authentication) thus we can track all their logins.
we just look at the last three, get the time between them, and then lock
them out. its a security precaution.
dont ask me where we came up with the time limit that was a client call not
ours.
Al
----------------------------------------------------------
Allen L. Fogleson
Senior Project Manager Crunchy Technologies
2111 Wilson Boulevard Suite 350
Arlington, Va 22201
voice: (703) 469-2032
pager: (800) 826-3181
www.crunchy.com <http://www.crunchy.com>
Is your business soggy or is it Crunchy?
----------------------------------------------------------
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of David Morton
Sent: Thursday, March 22, 2001 9:47 PM
To: Orion-Interest
Subject: Simultaneous Username/Password Detection
I am building a system that protects content by username and password. No
problem there. The more complicated part of the system prevents two people
using the same username and password at the same time on our web site. I
have a plan to do this, but I haven't seen if there are any common
methods/techniques/strategies/design patterns to do this in a jsp
environment. Nor do any of our developers have any experience in doing
this.
Currently, I am just going to store server generated sessionId's and
userId's with other necessary data/time checks......of course the user must
be able to take over use of that username and password because the browser
may crash...or they forget to hit logout....and also I must flag when this
happens too many times in a period of time as a red flag....obviously with
an html web site, there is no 100% accurate way to only have one user using
the site at once, however, I can build it well enough that 95% of the users
that are giving out their passwords won't because it is annoying to keep
re-logging in and being locked out for an hour if you trip one of our red
flags.....thoughts? experiences?
This is not for a porn site, however, I bet that porn people have
something like this.
David
