tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nikola Milutinovic <>
Subject Re: Concurrent login detection - how?
Date Wed, 15 Jun 2005 14:38:05 GMT
Andre Van Klaveren wrote:

>I mentioned this issue (killing browser problem) in a previous
>posting.  The only way to prevent this is to invalidate the original
>session also in the event that a duplicate login was detected.  I can
>see a possible DOS attack problem with this solution though.  Maybe
>you shouldn't invalidate the original session and make the user call
>helpdesk to invalidate the original session.  This would aid in the
>tracking of this event also.

To DoS or not to DoS? I would let the session expire naturally, let the 
SessionListener cleanup and logout the user and when a duplicate comes 
in tell them what is the case. If they need access *now*, they can call 
the help desk.

>Using IP addresses is usually not a good way to detect duplicate
>logins.  I guess this would work in a controlled environment
>(intranet) where you can guarantee that the user(s) aren't behind a
>proxy server.  It's definetly not an option for a public site.



To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message