----- Original Message -----
From: "David Wall" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, February 02, 2001 2:01 AM
Subject: Re: Disallowing Concurrent sessions
> > This method works as long the user signs out using another jsp page
which
> > removes all cookies and invalidates the session, but the probelm is that
> if
> > the user closes the browser window without signing out, those details
are
> > never removed from the table and he will not be able to login at all
> unless
> > someone removes his details from the table
>
> That's kind of a big problem <smile>. Your revised solution is on the
right
> track. Logout the original account and let the new one in. This also has
> the consequence of making a person miserable if he shares his login info
> since his friends will force him off if they come in while he's actually
> using the service, and of course it correctly handles the case where the
> user is simply coming back in without having logged out.
>
> > 2. Inform the first logged in user, log him out, invalidate that
session
> > and create new session for the newly signed in user
>
> Well, HTTP won't let you inform the user unless that user does at least
one
> more request to your site since the server knows nothing about the client.
True, but this can be done .. like add a small or a spacer image which
refreshes every minute and makes a request .. or a javascript function which
makes a request onMouseOver event - catch this event when mouse reaches a
prominent/frequently used location on the browser windows.... so on
>
> > 3. A method which can invalidate a session by its session Id (such as
> > session.invalidate(sessionId), becuse HttpSession.invalidate() method
> > does not take any arguement and invalidate current session)
>
> That would be cool. Right now, I'm unfamiliar with such APIs, and it
seems
> a waste to check every request against your session db to see if the
session
> is still allowed to active. But if you did, you could update your db with
a
> flag indicating that the users has been logged out, return that error page
> (clearly they didn't really log out since they were able to make another
> request on the session) and invalidate the session then.
In fact, some tools like yahoo chat, mail and messenger services and MSN
messenger have these features .. i'm not sure the logic behind this
>
> I'd be interested in knowing if there's any support (standard or
otherwise)
> to let someone invalidate another session. That would seem like a
generally
> BAD thing, but I know that Tomcat supports so-called trusted services, and
> maybe they can do this.
>
Hope, some tomcat-developers contribute to this post
> David
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, email: [EMAIL PROTECTED]
_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]
