Return-Path: X-Original-To: apmail-shiro-user-archive@www.apache.org Delivered-To: apmail-shiro-user-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id D751110E79 for ; Fri, 4 Oct 2013 12:35:06 +0000 (UTC) Received: (qmail 11461 invoked by uid 500); 4 Oct 2013 12:35:06 -0000 Delivered-To: apmail-shiro-user-archive@shiro.apache.org Received: (qmail 11171 invoked by uid 500); 4 Oct 2013 12:35:00 -0000 Mailing-List: contact user-help@shiro.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@shiro.apache.org Delivered-To: mailing list user@shiro.apache.org Received: (qmail 10969 invoked by uid 99); 4 Oct 2013 12:34:57 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 04 Oct 2013 12:34:57 +0000 X-ASF-Spam-Status: No, hits=1.5 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of moonblade.wolf@gmail.com designates 209.85.212.177 as permitted sender) Received: from [209.85.212.177] (HELO mail-wi0-f177.google.com) (209.85.212.177) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 04 Oct 2013 12:34:50 +0000 Received: by mail-wi0-f177.google.com with SMTP id cb5so1565326wib.4 for ; Fri, 04 Oct 2013 05:34:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=kqsGRm+ym4wIEJKfnyWbjgTmkUUjTVFr6Qj7sK2C0dM=; b=vHXlUHw9d6xgHvqDOaf41Ou5Pq/bDBcS9uQwG+fsJEDqfkQImCpIr+usxO6IAw+tjJ QtQZybqBHDa8bQw+reChFj/EiVuI30Z3FvZb3rVM/8lqxpRYzRBGtHNlB6JFS2NmkGu+ sAL0aYYc3b0vPI6bvB7qYCDb3p7XLZR8P3nY8xTF4j9zC2ICUPmENC+THz3S3SQv6PX4 RqGgl9OvKtOLliWzhm7v2mpRZXM1rxTaFq6orKN2NRpP+fg8xGbTHyLZH/l3mx6RaK6C x1QFoaKYH4RP60z7YGUK4r+t+PtjHwGAWyMe77+nIQ5v7ztbXRMcgQZceldODM/zuA8B W2Dw== MIME-Version: 1.0 X-Received: by 10.180.160.240 with SMTP id xn16mr7095639wib.62.1380890070221; Fri, 04 Oct 2013 05:34:30 -0700 (PDT) Received: by 10.216.98.134 with HTTP; Fri, 4 Oct 2013 05:34:30 -0700 (PDT) In-Reply-To: References: Date: Fri, 4 Oct 2013 19:34:30 +0700 Message-ID: Subject: Re: Control/Prevent concurrent user logins from different browsers/devices From: Albert Kam To: "user@shiro.apache.org" Content-Type: multipart/alternative; boundary=047d7b6251b01c092604e7e986bb X-Virus-Checked: Checked by ClamAV on apache.org --047d7b6251b01c092604e7e986bb Content-Type: text/plain; charset=ISO-8859-1 I assume that in order to detect the existing session, i'll have to do a check based on the principal (or in my simple case, the username) upon a new login. If the old session is there, then it's deleted, and the new login can continue. So, last login wins. I tried doing the check in AbstractSessionDAO.doCreate, but at that time the passed SimpleSession doesnt contain any info about the principal yet. Next i tried AbstractSessionDAO.update, where the principal info is set under the attribute key of "org.apache.shiro.subject.support.DefaultSubjectContext_PRINCIPALS_SESSION_KEY". After fetching the principal, i can continue checking the existing session using the same principal and delete it. But i'm wondering whether this the place to do the checking ? If so, how do i differentiate between the session creation's update() and other kinds of updates to avoid having to check for every updates. > Then, when a user request comes in, you can query the session data store and see if they have any existing sessions. May i ask where is the good place to do this checking ? > If so, deny the request. How to deny the request ? On Sun, Sep 29, 2013 at 2:01 AM, Les Hazlewood wrote: > This is not built in to Shiro at the moment. Your best bet is to use > Shiro's native session management and use a queryable session data store. > Then, when a user request comes in, you can query the session data store > and see if they have any existing sessions. If so, deny the request. > > HTH, > > -- > Les Hazlewood | @lhazlewood > CTO, Stormpath | http://stormpath.com | @goStormpath | 888.391.5282 > > > On Fri, Sep 27, 2013 at 3:09 AM, gurjant singh wrote: > >> >> Hi, >> >> >> I have to allow a user to login only form on device at time and has to >>> expire or invalidate the other sessions of that user if he has logged in >>> from other devices/browsers. How can we do this in apache shiro. Please >>> help me. >>> >>> Thanks, >>> >>> -Bunty >>> >>> >>> >> >> > -- Do not pursue the past. Do not lose yourself in the future. The past no longer is. The future has not yet come. Looking deeply at life as it is in the very here and now, the practitioner dwells in stability and freedom. (Thich Nhat Hanh) --047d7b6251b01c092604e7e986bb Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable
I assume that in order to detect the existing session,=A0
i'll= have to do a check based on the principal (or in my simple case, the usern= ame) upon a new login.
If the old session is there, then it's deleted, and the new login ca= n continue. So, last login wins.

I tried doing the check in=A0but at that time the passed SimpleSession doesnt contain any info = about the principal yet.
Next i tried=A0AbstractSessionDAO.upd= ate, where the principal info is set under the attribute key of=A0"org= .apache.shiro.subject.support.DefaultSubjectContext_PRINCIPALS_SESSION_KEY&= quot;.
After fetching the principal, i can c= ontinue checking the existing session using the same principal and delete i= t.
But i'm wondering = whether this the place to do the checking ?
If so, how do i differentiate between= the session creation's update() and other kinds of updates to avoid ha= ving to check for every updates.

> Then, when a user request comes in, you can query the session data = store and see if they have any existing sessions. =A0
May i ask where= is the good place to do this checking ?=A0

=
> If so= , deny the request.
How to deny the request ?
=

On Sun, Sep 29, 2013 at 2:01 AM, Les Haz= lewood <lhazlewood@apache.org> wrote:
This is not built in to Shi= ro at the moment. =A0Your best bet is to use Shiro's native session man= agement and use a queryable session data store. =A0Then, when a user reques= t comes in, you can query the session data store and see if they have any e= xisting sessions. =A0If so, deny the request.

HTH,

--
Les Hazlewood | @lhazlewood
CTO, Stormpath = |=A0http://stormpath.co= m=A0| @goStormpath | 888.391.5282


On Fri, Sep 27, 2013 at 3:09 AM, gurjant= singh <gurjantsingh73@gmail.com> wrote:

Hi,


=A0I have t= o allow a user to login only form on device at time and has to expire or in= validate =A0the other sessions of that user if he has logged in from other = devices/browsers. How can we do this in apache shiro. Please help me.

Thanks,

-Bunty

=A0


<= /div>





--
Do not pursu= e the past. Do not lose yourself in the future.
The past no longer is. = The future has not yet come.
Looking deeply at life as it is in the ver= y here and now,
the practitioner dwells in stability and freedom.
(Thich Nhat Hanh) --047d7b6251b01c092604e7e986bb--