tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Venkat" <>
Subject Disallowing Concurrent sessions
Date Thu, 01 Feb 2001 09:19:44 GMT
Hi All

This has reference to an previous discussion on  'disallowing concurrent
login' and Mr.Hans Bergsten came out with a suggestion of implementing
HttpSessionBindingListener interface, add every new user to a vector, check
the existence when a new user logs in ...

I have implemented a solution similar to that, create a table to store
details such as sessionId, User Ip, User's unique login id, session created
time etc., check the table for login id, if not found, create a new session,
add the loginid to that table and deny new session if the login  id is found
in the table.  so, if the same user or anybody with the same loginid tries
to sign again is redirected to another page which shows the details such the
session details from the table

This method works as long the user signs out using another jsp page which
removes all cookies and invalidates the session, but the probelm is that if
the user closes the browser window without signing out, those details are
never removed from the table and he will not be able to login at all unless
someone removes his details from the table

Here, I am looking for a mechanism

  1. which allows the tomcat container to remove all expired sessions from
using sessions Ids,

  2. Inform the first logged in user, log him out, invalidate that session
and    create new session for the newly signed in user

  3. A method which can invalidate a session by its session Id (such as
session.invalidate(sessionId), becuse HttpSession.invalidate()    method
does not take any arguement and invalidate current session)

I am contemplating this to work similar to Yahoo Messanger (invalidates old
session and creates new)

I seek your valuable suggestions

Thanks in advance


Do You Yahoo!?
Get your free address at

View raw message