1 2 Previous Next 25 Replies Latest reply: Jul 26, 2011 9:16 AM by 367265 RSS

    how to prevent multiple logins by using HttpBindingListener

    367265
      Hi,
      Can anyone tell me how do i actually use session to prevent multiple login from different machine? From my understanding, i need to use HttpBindingListener to valueBound and valueUnbound when user tries to login, but i encounter a problem is my session is always overwritten since i use setAttribute() method in servlet.
      For instance i use username(aaa & bbb) to login in two different machine, my login is always overwritten if i use username bbb to login after username aaa. i know it is because setAttribute() method overwrite existing session data, so i would like to know what other method should i use to achieve what i want, tks.
        • 1. Re: how to prevent multiple logins by using HttpBindingListener
          gimbal2
          marcalena wrote:
          Hi,
          Can anyone tell me how do i actually use session to prevent multiple login from different machine? From my understanding, i need to use HttpBindingListener to valueBound and valueUnbound when user tries to login, but i encounter a problem is my session is always overwritten since i use setAttribute() method in servlet.
          For instance i use username(aaa & bbb) to login in two different machine, my login is always overwritten if i use username bbb to login after username aaa. i know it is because setAttribute() method overwrite existing session data, so i would like to know what other method should i use to achieve what i want, tks.
          ... use getAttribute() first to check if a value already exists?
          • 2. Re: how to prevent multiple logins by using HttpBindingListener
            EJP
            Eh? A new login creates a new session, so session.setAttribute() isn't overwriting anything, it is setting attributes in the new session. You're going to have to explain yourself more clearly. I don't see how a binding listener can solve this problem.
            • 3. Re: how to prevent multiple logins by using HttpBindingListener
              gimbal2
              EJP wrote:
              Eh? A new login creates a new session, so session.setAttribute() isn't overwriting anything, it is setting attributes in the new session. You're going to have to explain yourself more clearly. I don't see how a binding listener can solve this problem.
              DOH! I didn't see the multiple machines part.

              Actually I've done something similar in the past where a session binding listener was used to know what users were logged in (with automatic "logout" when the session expired) while the actual status was kept at application scope (even worse though: in a static map).

              But yeah, it was quite ugly. I would rather look into some Single Signon solution if I had to actually check if a user is already logged in and act on it.
              • 4. Re: how to prevent multiple logins by using HttpBindingListener
                367265
                Hi,
                This is the logic for session :
                /*
                Connect to db for verification, once verified, system return a UserBean and this UserBean will be set in ClientSecurityEngine
                When this particular user has been successfully verified, a new session will be created
                */
                if(success)
                {
                    session = request.getSession();
                    User user;
                    synchronized(session)
                                                                               {
                    user = (User) session.getAttribute("user");                        
                    if(user == null)
                    {
                       user = new User(ClientSecurityEngine.getInstance().getUserBean().getUsername());
                       session.setAttribute("user", user);
                     }
                }
                
                
                
                /* User class */
                
                public class User implements HttpSessionBindingListener {
                
                    private static Map<String, HttpSession> logins = Collections.synchronizedMap(new HashMap<String, HttpSession>());
                    private String username;
                
                    public User(String username) {
                        this.username = username;        
                    }
                
                    public String getUsername() {
                        return username;
                    }
                    
                    @Override
                    public void valueBound(HttpSessionBindingEvent event) {
                        if (logins.containsKey(getUsername())) {
                            HttpSession session = logins.remove(getUsername());
                            if (session != null) {
                                session.invalidate();
                            }
                            logins.put(getUsername(), event.getSession());
                        } else {
                            logins.put(getUsername(), event.getSession());
                        }
                
                    }
                
                    @Override
                    public void valueUnbound(HttpSessionBindingEvent event) {
                        logins.remove(getUsername());
                    }
                }
                Edited by: EJP on 21/07/2011 14:22: added {noformat}
                {noformat} tags so we can actually read your code. Please use them.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    
                • 5. Re: how to prevent multiple logins by using HttpBindingListener
                  367265
                  Hi,
                  How can a single sign on solve this issue since SSO let user to login once and do the rest of work without signing in again. I don't see the point to use this if i am not mistaken.
                  • 6. Re: how to prevent multiple logins by using HttpBindingListener
                    EJP
                    i know it is because setAttribute() method overwrite existing session data
                    user = (User) session.getAttribute("user");                        
                    if(user == null)
                    {
                    user = new User(ClientSecurityEngine.getInstance().getUserBean().getUsername());
                    session.setAttribute("user", user);
                    }
                    }
                    I don't get it. There is no overwriting of existing session data there. The "user" attribute is only set if it was absent. What exactly are you talking about?
                    • 7. Re: how to prevent multiple logins by using HttpBindingListener
                      367265
                      HI,
                      Sorry i miss out this portion in main.jsp

                      main.jsp is the main page after user login, in this page it calls session to validate whether session is null or not, if yes, it'll redirect user to login page.
                      User user = (User) session.getAttribute("user");
                          if (user == null) {
                              PrintWriter out1 = response.getWriter();
                              out1.println("<html>");
                              out1.println("<script>");
                              out1.println("alert ('Session timeout')");
                              out1.println("window.open ('index.jsp','_parent')");
                              out1.println("</script>");
                              out1.println("</html>");
                          }
                      i am not sure is this code that cause session to get last login user.

                      Edited by: EJP on 21/07/2011 15:37: *added {noformat}
                      {noformat} tags +again.+ Please use them.*                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        
                      • 8. Re: how to prevent multiple logins by using HttpBindingListener
                        EJP
                        in this page it calls session to validate whether session is null or not
                        No it doesn't, it tests whether the "user" attribute of what I hope is the current session is null. Where did 'session' come from? And then it tells the user his session has timed out when there could be a lot of other causes starting with a logout or a login by him at another machine as per your code above.

                        You still haven't stated clearly what your problem is, and where you get this stuff about overwriting. Why exactly do you care if he logs in again at another machine?
                        • 9. Re: how to prevent multiple logins by using HttpBindingListener
                          367265
                          HI,
                          My problem is when i login system from my windows, i use username aa to login system (using mozilla browser), so i can see from my application my username is aa. After that i open another browser (IE) and login to system again by using username bb, i manage to login system successfully by providing username bb and password. So now i have two browsers (mozilla & IE) to login system by using two different username (aa & bb). ok now the problem comes, when i use my first browser(mozilla) to browse around in system and my username will be replaced with bb (2nd login in IE). 2nd login user overwrites 1st login user.
                          • 10. Re: how to prevent multiple logins by using HttpBindingListener
                            gimbal2
                            marcalena wrote:
                            HI,
                            My problem is when i login system from my windows, i use username aa to login system (using mozilla browser), so i can see from my application my username is aa. After that i open another browser (IE) and login to system again by using username bb, i manage to login system successfully by providing username bb and password. So now i have two browsers (mozilla & IE) to login system by using two different username (aa & bb). ok now the problem comes, when i use my first browser(mozilla) to browse around in system and my username will be replaced with bb (2nd login in IE). 2nd login user overwrites 1st login user.
                            private static Map<String, HttpSession> logins = Collections.synchronizedMap(new HashMap<String, HttpSession>());
                            Remove this logic, putting session objects in a map is even more terrible than what I did. Just DON'T do that, a session is a server managed resource and it should ONLY be managed by the server. Keep your hands off of it. If you need to keep track of user information create your own objects to do so.
                            • 11. Re: how to prevent multiple logins by using HttpBindingListener
                              EJP
                              You need to start a new session when someone logs in. I assume that is after 'success' above? So you need to call session.invalidate() and then session = request.getSession(true).
                              • 12. Re: how to prevent multiple logins by using HttpBindingListener
                                367265
                                Hi,
                                If i remove this :

                                private static Map<String, HttpSession> logins = Collections.synchronizedMap(new HashMap<String, HttpSession>());


                                I won't be able to do a checking for login user by using same username.
                                The reason for me to implement User class is to do a checking on login user, system needs to prevent same login user from different browser.

                                public void valueBound(HttpSessionBindingEvent event) {
                                if (logins.containsKey(getUsername())) {
                                HttpSession session = logins.remove(getUsername());
                                if (session != null) {
                                session.invalidate();
                                }
                                logins.put(getUsername(), event.getSession());
                                } else {
                                logins.put(getUsername(), event.getSession());
                                }
                                }

                                @Override
                                public void valueUnbound(HttpSessionBindingEvent event) {
                                logins.remove(getUsername());
                                }

                                Do you have better ideas for this?
                                My requirement is :
                                1) Session time out for 1st user if 2nd user uses same username & password to login. No double login for same user from different places different browser.
                                • 13. Re: how to prevent multiple logins by using HttpBindingListener
                                  EJP
                                  Marcalena, I have already edited two of your posts to put the {noformat}
                                  {noformat} tags around the code so it is readable. Nobody is going to read code when you post it like that, and I am done editing your posts for you. If you don't fix it you won't get any assistance.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            
                                  • 14. Re: how to prevent multiple logins by using HttpBindingListener
                                    ramp
                                    marcalena wrote:
                                    HI,
                                    My problem is when i login system from my windows, i use username aa to login system (using mozilla browser), so i can see from my application my username is aa. After that i open another browser (IE) and login to system again by using username bb, i manage to login system successfully by providing username bb and password. So now i have two browsers (mozilla & IE) to login system by using two different username (aa & bb). ok now the problem comes, when i use my first browser(mozilla) to browse around in system and my username will be replaced with bb (2nd login in IE). 2nd login user overwrites 1st login user.
                                    EJP has said this several times in this post. Let me repeat - there are 2 symptoms you are talking about here.

                                    1. You do not want the same user to be logged in at the same time (from different machines/browsers).

                                    2. You do not want two users to be logged in from the same machine.

                                    Now which problem are you trying to solve?
                                    1 2 Previous Next