Andre Van Klaveren wrote:
I mentioned this issue (killing browser problem) in a previous posting. The only way to prevent this is to invalidate the original session also in the event that a duplicate login was detected. I can see a possible DOS attack problem with this solution though. Maybe you shouldn't invalidate the original session and make the user call helpdesk to invalidate the original session. This would aid in the tracking of this event also.
To DoS or not to DoS? I would let the session expire naturally, let the SessionListener cleanup and logout the user and when a duplicate comes in tell them what is the case. If they need access *now*, they can call the help desk.
Using IP addresses is usually not a good way to detect duplicate logins. I guess this would work in a controlled environment (intranet) where you can guarantee that the user(s) aren't behind a proxy server. It's definetly not an option for a public site.
True. Nix. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
