Stefano_i0600006 wrote:How are you planning to close the current session?
If it already exists an active session for the user who wants to log in, I want to show a warning message like: "there is already an application session active for user xxx, going forward will close the current session and open a new session".
Stefano_i0600006 wrote:Why do you want to use an internal/undocumented/unsupported API??
Using some db views I can generate a report with the list of active sessions for my application.
Something like this:
SELECT q1.apex_session_id, q1.user_name, q1.session_created, q2.application_id, q2.first_access, q2.last_access, q2.requests
+FROM APEX_WORKSPACE_SESSIONS q1,+
+(SELECT apex_session_id, application_id, MAX(view_date) last_access, MIN(view_date) first_access, count(*) requests+
where application_id = :APP_ID
GROUP BY apex_session_id, application_id
WHERE q1.apex_session_id =q2.apex_session_id
and q1.user_name != 'nobody';
I can understand so if a user has already logged on my application.
The problem is that the only way to close old sessions using the API wwv_flow_cache.purge_sessions, which takes as a parameter session id but only p_purge_sess_older_then_hrs.
There is no way to kill a session (session id) Apex?Look into APEX_AUTHECNTICTATION.LOGOUT
Stefano_i0600006 wrote:Then, the restriction should be implemented in your program code to check the logged in user > once the user has booked something from a session(within 20 other sessions) > restrict that user to do further transactions on other sessions (this can be simply a page validation to check the current user against some custom table)
The application provides users with several features of booking with the FIFO rule (First In First Out). The feature is active at a given time instant.
It happens that the same user opened multiple sessions on different browser or computer, to have more chances of success in the booking.
This increases considerably the number of simultaneous requests to the server in a limited period of time, decreasing performance.
It happened that the same user has opened more than 20 concurrent sessions with his credentials, asking for help from friends or colleagues.
With control over multiple sessions, you want to just limit this practice.
4. In your application login page > add a validation to check if any active sessions exist in APP_USER_SESSIONS and prompt them to confirm to proceed, and by proceeding the other sessions will be terminated.
//runs every time the page is refreshed declare v number; begin select 1 into v from APP_USER_SESSIONS where user_name = :APP_USER and SESSION_ID =:APP_SESSION and ACTIVE_FLAG='Y'; exception when no_data_found then APEX_AUTHECNTICTATION.LOGOUT(:APP_SESSION,:APP_ID); end;
When the user refreshes the browser in multiple sessions they will be verified and terminated accordingly!
update APP_USER_SESSIONS set active_flag='N' where user_name = :APP_USER and session_id != :APP_SESSION;
Stefano_i0600006 wrote:So a custom solution is the right approach, you can extend my above example to add some more tables/columns so that you can easily implement functionality to enable and disable multiple sessions for each user.
Christian, you're right.
There are many ways to cause denial of service.
What you have well explained still requires a little experience regarding the management of sessions and cookies.
However, in my scenario I do not care so much malicious users, but "standard" users. This type of user has no plans to force the system maliciously, but just wants to take advantage of the possibility of multiple concurrent logins for the best chance of booking. This is a normal and accepted use of the application. For this I would at least disable this option. First, to give all users the same opportunity to booking, and also to prevent server overloading.
I think that an option to allow or deny multiple logins, might be easily implemented in authentication systems of future Apex's release. It could be a features appreciated.
Meanwhile implement it manually a mechanism to test multiple sessions of the same user.
Thank you again.
PS: my booking system also implements the Google Recaptcha to prevent the requests generated by robots.
Identify error message displayed when scheme violated: This session is no longer active because you have logged into another session after this one.
select 1 FROM apex_workspace_sessions WHERE user_name = :APP_USER AND session_created = (SELECT MAX(session_created) FROM apex_workspace_sessions WHERE user_name = :APP_USER ) AND apex_session_id = :APP_SESSION