tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andre Van Klaveren <nyb...@gmail.com>
Subject Re: Concurrent login detection - how?
Date Wed, 15 Jun 2005 13:57:14 GMT
I mentioned this issue (killing browser problem) in a previous
posting.  The only way to prevent this is to invalidate the original
session also in the event that a duplicate login was detected.  I can
see a possible DOS attack problem with this solution though.  Maybe
you shouldn't invalidate the original session and make the user call
helpdesk to invalidate the original session.  This would aid in the
tracking of this event also.

Using IP addresses is usually not a good way to detect duplicate
logins.  I guess this would work in a controlled environment
(intranet) where you can guarantee that the user(s) aren't behind a
proxy server.  It's definetly not an option for a public site.



On 6/15/05, Nikola Milutinovic <Nikola.Milutinovic@ev.co.yu> wrote:
> David Rickard wrote:
> 
> > Don't know if this is an optimum solution, but it should work:
> > Keep a List or Vector of IDs for active users in a shared,
> > application-level object (probably ServletContext);
> > When someone logs in, search the List for the submitted ID: if not
> > present, continue with login sequence; if present, kick them to the
> > "duplicate login" page;
> > Remove IDs from the List when users log out (and add a
> > ServletContextListener to catch people who leave the site without
> > logging out--remove their IDs when their sessions time out);
> 
> 
> This is definitely a correct approach, but it has onw shortcoming.
> Suppose one user opens up a session (logs in) and his/her browser dies.
> The user opens another browser and tries to login, only to be kicked to
> "duplicate user" page. I think in this case, the original poster should
> have a vector or a hash map of user names and remote machine names/IPs.
> 
> Nix.
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> 
> 


-- 
Virtually,
Andre Van Klaveren
Architect III, SCP
Enterprise Transformation Services
Unisys Corporation

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message