> Gokul Singh wrote:
>
> Hans Bergsten wrote:
> > [...]
>
> > The spec may not be explicit enough about this, but the session
> object
> > you get back from the getSession() object is a container-managed
> object
> > that the application is not supposed/allowed to keep long-lived
> > references
> > to. It's the same as with all other container-objects made available
> to
> > the
> > application; request, response, JSP tag handlers, etc.
> > I'm not sure why you're keeping references to the session objects in
> > you're application, but if you describe what you're trying to do I'm
> > sure I can give you a hint about another way to accomplish the same
> > thing without the problems you have with your current solution.
>
> I am trying to disallow a single user to have multiple login sessions
> valid at any given time. I have to enforce this even if the user tried
> to login from two different machines.
Okay, in that case comparing HttpSession objects wouldn't work even
if Tomcat kept the same instance throughout the session. If the user
tries to log in from two different machines, he/she would get always
get two different sessions. Even when using two different browser
windows on the same machine, he/she may end up with two different
sessions (long story, search the JSP- and SERVLET-INTEREST list
archives for details). The bottom line is that a session is associated
with a "client", not a "user".
> Can you suggest a solution for this which works on tomcat 3.2.1 and
> uses servlet specs 2.2 only.
Something like this should work in any compliant container.
Create an instance of a class that implements the
javax.servlet.http.HttpSessionBindingListener interface and save it
in the session when the user logs in. Give the instance references
to the ServletContext and the user's login ID. In the valueBound()
method, add the loginID to a data structure kept as a context attribute,
and in the valueUnbound() method, remove the user info from the data
structure:
public class UserBean implements HttpSessionBindingListener,
Serializable {
private ServletContext context;
private String loginID;
public UserBean(ServletContext context, String loginID) {
this.context = context;
this.loginID = loginID;
}
public void valueBound(HttpSessionBindingEvent e) {
Vector currentUsers =
(Vector) context.getAttribute("currentUsers");
if (currentUsers == null) {
currentUsers = new Vector();
}
currentUsers.addElement(loginID);
}
public void valueUnbound(HttpSessionBindingEvent e) {
Vector currentUsers =
(Vector) context.getAttribute("currentUsers");
currentUsers.removeElement(loginID);
}
}
To make sure a user only logs in once, check if the loginID is
already in the context structure before allowing a new login
and creating the UserBean.
Hans
--
Hans Bergsten [EMAIL PROTECTED]
Gefion Software http://www.gefionsoftware.com
Author of JavaServer Pages (O'Reilly), http://TheJSPBook.com
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]
