Hi Rick,
That would probably be a good idea to use two filters vs doing it all
in one. Although it could also be nice to see all that happens for
each request by looking in just one filter vs two.
I like this idea because in my opinion filters should do small tasks.
This way they can be used separately or they can be combined
in a chain to achieve some more complicated functionality.
For example Frank's JWP could have a filter which limits the number of
sessions for a configurable max value and another filter
which checks for a session timeout. If the session timeout occurs it can
redirect to a configurable page.
This way you have two filters which provide functionality that can be
used separately or they can be combined.
And I don't think that it will be confusing for someone to look at two
filters. They don't have to check the code.
The filters are black-boxes and you have to look just in the web.xml to
know what is going on.
You will see that first all requests are filtered to limit the sessions
and then that expired sessions are redirected by
the second filter.
2) I noticed a lot of odd behavior when the server was shut down and
the pages were still up. For example, if the user was left on a page
that displayed a "log off" link and the server was restarted, when
they then clicked on log off (which calls session invalidate) it
would decrement the sessionCounter to -1. I'm not sure how
sessionDestroyed could get called before sessionCreated, but I guess
it can? My hack here was to do a check for sessionCount being less
than 0 and if so reset it to 0.
This is strange. What kind of webcontainer do you use?
At first glance it seems like your web container has a 'feature' to
serialize sessions on stop and to recreate them when you start the
server again.
In this case the sessionCounter would be set to 0 on restart but the
session would be recreated => no sessionCreated() executed, just
sessionDestroyed() on logout...
Possibly that is what is happening. The scenario where I noticed this
was using JBoss (Tomcat as the app server in JBoss).
I've just checked it and Tomcat has this feature.
However you must configure Tomcat to never recover your sessions!
I'm afraid that your "check if sessionCount is less than 0" is just not
enough.
Ex:
User A uses the app
Tomcat is restarted
User B comes in and gets a new session (sessionCount becomes 1 which is
the max allowed)
User A tries to use the app and he has a recovered and unflagged
session. sessionCreated will not be executed and nothing
will prevent the user A to use the app while user B is using it.
If you put a META-INF/context.xml in your WAR with the following content:
<Context>
<Manager class="org.apache.catalina.session.StandardManager" pathname="" />
</Context>
you should be ok.
The Manager can be also configured to limit the sessions with the
maxActiveSessions attribute :-D
So if it was not a problem for you to tie your implementation to Tomcat
then everything would be easier.
You set the maxActiveSessions attribute to 1, and in the filter when
you execute request.getSession you
catch the IllegalStateException thrown by Tomcat. If it's thrown you
redirect to appInUse.jsp
You can forget about the SessionListener, you won't need it.
However, I would like to have a general solution for this and since we
took the time to think it over
we could have this code somewhere so it will be reusable in the future.
For example Frank's JWP would be a great place to include these filters,
if he accepted to include
them in his project.
Regards,
Tamas
p.s. the open question: you want a Tomcat specific solution or a general
one?
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
