Re: Concurrent login detection - how?
I mentioned this issue (killing browser problem) in a previous posting. The only way to prevent this is to invalidate the original session also in the event that a duplicate login was detected. I can see a possible DOS attack problem with this solution though. Maybe you shouldn't invalidate the original session and make the user call helpdesk to invalidate the original session. This would aid in the tracking of this event also. Using IP addresses is usually not a good way to detect duplicate logins. I guess this would work in a controlled environment (intranet) where you can guarantee that the user(s) aren't behind a proxy server. It's definetly not an option for a public site. On 6/15/05, Nikola Milutinovic [EMAIL PROTECTED] wrote: David Rickard wrote: Don't know if this is an optimum solution, but it should work: Keep a List or Vector of IDs for active users in a shared, application-level object (probably ServletContext); When someone logs in, search the List for the submitted ID: if not present, continue with login sequence; if present, kick them to the duplicate login page; Remove IDs from the List when users log out (and add a ServletContextListener to catch people who leave the site without logging out--remove their IDs when their sessions time out); This is definitely a correct approach, but it has onw shortcoming. Suppose one user opens up a session (logs in) and his/her browser dies. The user opens another browser and tries to login, only to be kicked to duplicate user page. I think in this case, the original poster should have a vector or a hash map of user names and remote machine names/IPs. Nix. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Virtually, Andre Van Klaveren Architect III, SCP Enterprise Transformation Services Unisys Corporation - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Concurrent login detection - how?
yes, this boils down to a business policy issue. in my web app the policy is 'one user at any one time'. we track user logins at the database level. we immediately invalidate the existing user session if the same user has just logged in (again). the existing user gets a your session has expired message upon their next action in the web app. basically, the latest login wins. this is the behavior/policy our client is happy with. woodchuck --- Andre Van Klaveren [EMAIL PROTECTED] wrote: I mentioned this issue (killing browser problem) in a previous posting. The only way to prevent this is to invalidate the original session also in the event that a duplicate login was detected. I can see a possible DOS attack problem with this solution though. Maybe you shouldn't invalidate the original session and make the user call helpdesk to invalidate the original session. This would aid in the tracking of this event also. Using IP addresses is usually not a good way to detect duplicate logins. I guess this would work in a controlled environment (intranet) where you can guarantee that the user(s) aren't behind a proxy server. It's definetly not an option for a public site. On 6/15/05, Nikola Milutinovic [EMAIL PROTECTED] wrote: David Rickard wrote: Don't know if this is an optimum solution, but it should work: Keep a List or Vector of IDs for active users in a shared, application-level object (probably ServletContext); When someone logs in, search the List for the submitted ID: if not present, continue with login sequence; if present, kick them to the duplicate login page; Remove IDs from the List when users log out (and add a ServletContextListener to catch people who leave the site without logging out--remove their IDs when their sessions time out); This is definitely a correct approach, but it has onw shortcoming. Suppose one user opens up a session (logs in) and his/her browser dies. The user opens another browser and tries to login, only to be kicked to duplicate user page. I think in this case, the original poster should have a vector or a hash map of user names and remote machine names/IPs. Nix. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Virtually, Andre Van Klaveren Architect III, SCP Enterprise Transformation Services Unisys Corporation - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] __ Discover Yahoo! Find restaurants, movies, travel and more fun for the weekend. Check it out! http://discover.yahoo.com/weekend.html - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Concurrent login detection - how?
Andre Van Klaveren wrote: I mentioned this issue (killing browser problem) in a previous posting. The only way to prevent this is to invalidate the original session also in the event that a duplicate login was detected. I can see a possible DOS attack problem with this solution though. Maybe you shouldn't invalidate the original session and make the user call helpdesk to invalidate the original session. This would aid in the tracking of this event also. To DoS or not to DoS? I would let the session expire naturally, let the SessionListener cleanup and logout the user and when a duplicate comes in tell them what is the case. If they need access *now*, they can call the help desk. Using IP addresses is usually not a good way to detect duplicate logins. I guess this would work in a controlled environment (intranet) where you can guarantee that the user(s) aren't behind a proxy server. It's definetly not an option for a public site. True. Nix. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Concurrent login detection - how?
Don't know if this is an optimum solution, but it should work: Keep a List or Vector of IDs for active users in a shared, application-level object (probably ServletContext); When someone logs in, search the List for the submitted ID: if not present, continue with login sequence; if present, kick them to the duplicate login page; Remove IDs from the List when users log out (and add a ServletContextListener to catch people who leave the site without logging out--remove their IDs when their sessions time out); At 09:22 AM 6/14/2005, you wrote: What is the best way to detect two people being logged in concurrently using the same account? This is one aspect of my efforts to restrict fraudulent access. Again, I don't want to use Acegi since it seems to break the rest of my app. So, what's the best way to do this 'traditionally'? Thanks! Michael - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- David Rickard Software Engineer TechBooks/GTS Your Single Source Solution! Los Angeles CA * York, PA * Boston,MA * New Delhi, India Visit us on the World Wide Web http://www.techbooks.comhttp://www.techbooks.com [EMAIL PROTECTED] 5650 Jillson St., Los Angeles, CA 90040 (323) 888-8889 x331 (323) 888-1849 (Fax)
Re: Concurrent login detection - how?
This will prevent users from having more than one session at a time for sure. You would probably want to remove the id from the list when a duplicate is detected to prevent users from having to wait for their initial session to timeout in the event that they closed their browser without properly logging out. You would also need to keep the session id in this list so that you can invalidate the session that is related to the id. This of course would drop the original session and in the event that two people were using the same ID it would become a nuisence for the first user to login (they would loose their session). You would want to make sure to log this event for auditing purpose as well. Did I miss anything? -- Virtually, Andre Van Klaveren Architect III, SCP Enterprise Transformation Services Unisys Corporation - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Concurrent login detection - how?
And I presume you'd need to get/persist this java object to a database, if you fancied scaling beyond a single application server? (Or am I missing something?) Andre Van Klaveren wrote: This will prevent users from having more than one session at a time for sure. You would probably want to remove the id from the list when a duplicate is detected to prevent users from having to wait for their initial session to timeout in the event that they closed their browser without properly logging out. You would also need to keep the session id in this list so that you can invalidate the session that is related to the id. This of course would drop the original session and in the event that two people were using the same ID it would become a nuisence for the first user to login (they would loose their session). You would want to make sure to log this event for auditing purpose as well. Did I miss anything? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Concurrent login detection - how?
A HttpSessionListener implements a sessionDestroyed() method, which receives a HttpSessionEvent object from the servlet container when a session is about to be invalidated (the timing undoubtedly depends upon the container); the HttpSessionEvent object has a getSession() method, which returns the HttpSession object about to be invalidated, from which you can get the session ID other information to identify the affected user; At 01:28 PM 6/14/2005, Michael Mehrle wrote: That actually goes to the heart of my question: HOW do I detect when their session times out? ;-) I know the 'strategy' of doing this, but I don't know how to capture a timed-out session - technically. Any input would be welcome. TIA, Michael - Original Message - From: David Rickard [EMAIL PROTECTED] To: Tomcat Users List tomcat-user@jakarta.apache.org Sent: Tuesday, June 14, 2005 9:53 AM Subject: Re: Concurrent login detection - how? Remove IDs from the List when users log out (and add a ServletContextListener to catch people who leave the site without logging out--remove their IDs when their sessions time out); At 09:22 AM 6/14/2005, you wrote: What is the best way to detect two people being logged in concurrently using the same account? This is one aspect of my efforts to restrict fraudulent access. Again, I don't want to use Acegi since it seems to break the rest of my app. So, what's the best way to do this 'traditionally'? Thanks! Michael - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- David Rickard Software Engineer TechBooks/GTS Your Single Source Solution! Los Angeles CA * York, PA * Boston,MA * New Delhi, India Visit us on the World Wide Web http://www.techbooks.comhttp://www.techbooks.com [EMAIL PROTECTED] 5650 Jillson St., Los Angeles, CA 90040 (323) 888-8889 x331 (323) 888-1849 (Fax) -- David Rickard Software Engineer TechBooks/GTS Your Single Source Solution! Los Angeles CA * York, PA * Boston,MA * New Delhi, India Visit us on the World Wide Web http://www.techbooks.comhttp://www.techbooks.com [EMAIL PROTECTED] 5650 Jillson St., Los Angeles, CA 90040 (323) 888-8889 x331 (323) 888-1849 (Fax)
Re: Concurrent login detection - how?
That actually goes to the heart of my question: HOW do I detect when their session times out? ;-) I know the 'strategy' of doing this, but I don't know how to capture a timed-out session - technically. Any input would be welcome. TIA, Michael - Original Message - From: David Rickard [EMAIL PROTECTED] To: Tomcat Users List tomcat-user@jakarta.apache.org Sent: Tuesday, June 14, 2005 9:53 AM Subject: Re: Concurrent login detection - how? Remove IDs from the List when users log out (and add a ServletContextListener to catch people who leave the site without logging out--remove their IDs when their sessions time out); At 09:22 AM 6/14/2005, you wrote: What is the best way to detect two people being logged in concurrently using the same account? This is one aspect of my efforts to restrict fraudulent access. Again, I don't want to use Acegi since it seems to break the rest of my app. So, what's the best way to do this 'traditionally'? Thanks! Michael - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- David Rickard Software Engineer TechBooks/GTS Your Single Source Solution! Los Angeles CA * York, PA * Boston,MA * New Delhi, India Visit us on the World Wide Web http://www.techbooks.comhttp://www.techbooks.com [EMAIL PROTECTED] 5650 Jillson St., Los Angeles, CA 90040 (323) 888-8889 x331 (323) 888-1849 (Fax) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Concurrent login detection - how?
A SessionContextListener gets called when a session times out, or is otherwise invalidated. This is how you do it. I did this in an app some time ago... I just needed to maintain a list of who was logged in. You can do something simple like I did: have a UsersList object with a single static HashMap in it. In that HashMap goes User objects. When the session is created, the listener is called, and you put the User object in it. When the session is destroyed, you remove it. I keyed the HashMap off user ID, you can do it however you like. Just be sure to take concurrency into account and it works rather well. You could do it to a database if your requirements make that a better choice. Frank Michael Mehrle wrote: That actually goes to the heart of my question: HOW do I detect when their session times out? ;-) I know the 'strategy' of doing this, but I don't know how to capture a timed-out session - technically. Any input would be welcome. TIA, Michael - Original Message - From: David Rickard [EMAIL PROTECTED] To: Tomcat Users List tomcat-user@jakarta.apache.org Sent: Tuesday, June 14, 2005 9:53 AM Subject: Re: Concurrent login detection - how? Remove IDs from the List when users log out (and add a ServletContextListener to catch people who leave the site without logging out--remove their IDs when their sessions time out); At 09:22 AM 6/14/2005, you wrote: What is the best way to detect two people being logged in concurrently using the same account? This is one aspect of my efforts to restrict fraudulent access. Again, I don't want to use Acegi since it seems to break the rest of my app. So, what's the best way to do this 'traditionally'? Thanks! Michael - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- David Rickard Software Engineer TechBooks/GTS Your Single Source Solution! Los Angeles CA * York, PA * Boston,MA * New Delhi, India Visit us on the World Wide Web http://www.techbooks.comhttp://www.techbooks.com [EMAIL PROTECTED] 5650 Jillson St., Los Angeles, CA 90040 (323) 888-8889 x331 (323) 888-1849 (Fax) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Frank W. Zammetti Founder and Chief Software Architect Omnytex Technologies http://www.omnytex.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Concurrent login detection - how?
David Rickard wrote: Don't know if this is an optimum solution, but it should work: Keep a List or Vector of IDs for active users in a shared, application-level object (probably ServletContext); When someone logs in, search the List for the submitted ID: if not present, continue with login sequence; if present, kick them to the duplicate login page; Remove IDs from the List when users log out (and add a ServletContextListener to catch people who leave the site without logging out--remove their IDs when their sessions time out); This is definitely a correct approach, but it has onw shortcoming. Suppose one user opens up a session (logs in) and his/her browser dies. The user opens another browser and tries to login, only to be kicked to duplicate user page. I think in this case, the original poster should have a vector or a hash map of user names and remote machine names/IPs. Nix. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
