yes, this boils down to a business policy issue. in my web app the
policy is 'one user at any one time'. we track user logins at the
database level. we immediately invalidate the existing user session if
the same user has just logged in (again).
the existing user gets a "your session has expired" message upon their
next action in the web app. basically, the latest login wins.
this is the behavior/policy our client is happy with.
woodchuck
--- Andre Van Klaveren <[EMAIL PROTECTED]> wrote:
> I mentioned this issue (killing browser problem) in a previous
> posting. The only way to prevent this is to invalidate the original
> session also in the event that a duplicate login was detected. I can
> see a possible DOS attack problem with this solution though. Maybe
> you shouldn't invalidate the original session and make the user call
> helpdesk to invalidate the original session. This would aid in the
> tracking of this event also.
>
> Using IP addresses is usually not a good way to detect duplicate
> logins. I guess this would work in a controlled environment
> (intranet) where you can guarantee that the user(s) aren't behind a
> proxy server. It's definetly not an option for a public site.
>
>
>
> On 6/15/05, Nikola Milutinovic <[EMAIL PROTECTED]> wrote:
> > David Rickard wrote:
> >
> > > Don't know if this is an optimum solution, but it should work:
> > > Keep a List or Vector of IDs for active users in a shared,
> > > application-level object (probably ServletContext);
> > > When someone logs in, search the List for the submitted ID: if
> not
> > > present, continue with login sequence; if present, kick them to
> the
> > > "duplicate login" page;
> > > Remove IDs from the List when users log out (and add a
> > > ServletContextListener to catch people who leave the site without
> > > logging out--remove their IDs when their sessions time out);
> >
> >
> > This is definitely a correct approach, but it has onw shortcoming.
> > Suppose one user opens up a session (logs in) and his/her browser
> dies.
> > The user opens another browser and tries to login, only to be
> kicked to
> > "duplicate user" page. I think in this case, the original poster
> should
> > have a vector or a hash map of user names and remote machine
> names/IPs.
> >
> > Nix.
> >
> >
> ---------------------------------------------------------------------
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail:
> [EMAIL PROTECTED]
> >
> >
>
>
> --
> Virtually,
> Andre Van Klaveren
> Architect III, SCP
> Enterprise Transformation Services
> Unisys Corporation
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
__________________________________
Discover Yahoo!
Find restaurants, movies, travel and more fun for the weekend. Check it out!
http://discover.yahoo.com/weekend.html
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
