> This method works as long the user signs out using another jsp page which
> removes all cookies and invalidates the session, but the probelm is that
if
> the user closes the browser window without signing out, those details are
> never removed from the table and he will not be able to login at all
unless
> someone removes his details from the table
That's kind of a big problem <smile>. Your revised solution is on the right
track. Logout the original account and let the new one in. This also has
the consequence of making a person miserable if he shares his login info
since his friends will force him off if they come in while he's actually
using the service, and of course it correctly handles the case where the
user is simply coming back in without having logged out.
> 2. Inform the first logged in user, log him out, invalidate that session
> and create new session for the newly signed in user
Well, HTTP won't let you inform the user unless that user does at least one
more request to your site since the server knows nothing about the client.
> 3. A method which can invalidate a session by its session Id (such as
> session.invalidate(sessionId), becuse HttpSession.invalidate() method
> does not take any arguement and invalidate current session)
That would be cool. Right now, I'm unfamiliar with such APIs, and it seems
a waste to check every request against your session db to see if the session
is still allowed to active. But if you did, you could update your db with a
flag indicating that the users has been logged out, return that error page
(clearly they didn't really log out since they were able to make another
request on the session) and invalidate the session then.
I'd be interested in knowing if there's any support (standard or otherwise)
to let someone invalidate another session. That would seem like a generally
BAD thing, but I know that Tomcat supports so-called trusted services, and
maybe they can do this.
David
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]
