shiro-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Albert Kam <moonblade.w...@gmail.com>
Subject Re: Control/Prevent concurrent user logins from different browsers/devices
Date Fri, 04 Oct 2013 12:34:30 GMT
I assume that in order to detect the existing session,
i'll have to do a check based on the principal (or in my simple case, the
username) upon a new login.
If the old session is there, then it's deleted, and the new login can
continue. So, last login wins.

I tried doing the check in AbstractSessionDAO.doCreate,
but at that time the passed SimpleSession doesnt contain any info about the
principal yet.
Next i tried AbstractSessionDAO.update, where the principal info is set
under the attribute key
of "org.apache.shiro.subject.support.DefaultSubjectContext_PRINCIPALS_SESSION_KEY".
After fetching the principal, i can continue checking the existing session
using the same principal and delete it.
But i'm wondering whether this the place to do the checking ?
If so, how do i differentiate between the session creation's update() and
other kinds of updates to avoid having to check for every updates.

> Then, when a user request comes in, you can query the session data store
and see if they have any existing sessions.
May i ask where is the good place to do this checking ?

> If so, deny the request.
How to deny the request ?


On Sun, Sep 29, 2013 at 2:01 AM, Les Hazlewood <lhazlewood@apache.org>wrote:

> This is not built in to Shiro at the moment.  Your best bet is to use
> Shiro's native session management and use a queryable session data store.
>  Then, when a user request comes in, you can query the session data store
> and see if they have any existing sessions.  If so, deny the request.
>
> HTH,
>
> --
> Les Hazlewood | @lhazlewood
> CTO, Stormpath | http://stormpath.com | @goStormpath | 888.391.5282
>
>
> On Fri, Sep 27, 2013 at 3:09 AM, gurjant singh <gurjantsingh73@gmail.com>wrote:
>
>>
>> Hi,
>>
>>
>>  I have to allow a user to login only form on device at time and has to
>>> expire or invalidate  the other sessions of that user if he has logged in
>>> from other devices/browsers. How can we do this in apache shiro. Please
>>> help me.
>>>
>>> Thanks,
>>>
>>> -Bunty
>>>
>>>
>>>
>>
>>
>


-- 
Do not pursue the past. Do not lose yourself in the future.
The past no longer is. The future has not yet come.
Looking deeply at life as it is in the very here and now,
the practitioner dwells in stability and freedom.
(Thich Nhat Hanh)

Mime
View raw message