beau.hutche...@thomsonreuters.com wrote:
I am using Tomcat 7.0.11 and use Form Authentication (via j_security_check) to
authenticate through the Tomcat server.
Currently, two users with the same username can log into my application from
two different computers and concurrently access the app.
Is there a way to prohibit a user from authenticating if a user with the same
username has previously authenticated and still has an active session?
There is always a way, but not necessarily an easy way.
I do not know of any standard authentication scheme which would prevent that.
Maybe you should first reconsider your basic scheme : in my experience, it is always a bad
idea in the end, in terms of security and in terms of audit (and in many cases in terms of
application logic), to use group id's (iow allowing more than one physical person to
login under a common user-id). The main point is : when something happens, you never know
who did it (be that for support, debugging, statistics or security reasons).
It also interferes with things like personal settings etc..
I know of /applications/ which control that. For example, one database system which I use
allows to set for each user-id a maximum simultaneous login count which limits the
user's concurrent sessions to 1..n (settable by the administrator).
Another way would be to use a servlet filter to keep a count or a flag. But it's tricky,
because you need to store that somewhere, and you need to make sure that whatever happens
(e.g. an application or user error) this count always gets reset when a user's session is
terminated (even unexpectedly).
If you provide a bit more information about what you are trying/need to do, someone my
come up with a better idea.
For example, what is the real problem - in your application - when two people at different
computers login with the same user-id ?
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
