tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <Craig.McClana...@eng.sun.com>
Subject Re: NullPointerException from HttpSessionFacade.invalidate()
Date Mon, 15 Jan 2001 19:23:03 GMT
Gokul Singh wrote:

> Hans Bergsten wrote:
> > [...]
>
> > The spec may not be explicit enough about this, but the session object
> > you get back from the getSession() object is a container-managed object
> > that the application is not supposed/allowed to keep long-lived
> > references
> > to. It's the same as with all other container-objects made available to
> > the
> > application; request, response, JSP tag handlers, etc.> I'm not sure why
> you're keeping references to the session objects in
> > you're application, but if you describe what you're trying to do I'm
> > sure I can give you a hint about another way to accomplish the same
> > thing without the problems you have with your current solution.  I am trying
> to disallow a single user to have multiple login sessions valid at any given
> time. I have to enforce this even if the user tried to login from two
> different machines.Can you suggest a solution for this which works on tomcat
> 3.2.1 and uses servlet specs 2.2 only.
>  Regds,Gokul

When I had to do something similar, I maintained a Hashtable in a servlet
context attribute that was keyed by username rather than by session id.  My
login logic (that processed the username and password) checked for the username
already being in this Hashtable, and disallowed a login if it was already
there.  For logout, I also stuck in a session attribute which implemented
HttpSessionBindingListener, so that I could remove this user's entry when the
current session was invalidated.

As others will undoubtedly point out, you still get to face the usual set of
issues when a user has multiple windows open on the same client machine.

Craig


Mime
View raw message