tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tobias Meyer>
Subject AW: custom session manager
Date Thu, 06 Oct 2005 08:16:05 GMT

> -----Urspr√ľngliche Nachricht-----
> Von: Leon Rosenberg []
> Gesendet: Donnerstag, 6. Oktober 2005 07:43
> An: Tomcat Users List; Mark
> Betreff: Re: custom session manager
> On 10/6/05, Mark <> wrote:
> > basically, I want to prevent users from logging in and creating a
> > second session if a valid session for that user already exists.
> >
> > For instance.
> >
> > 1. Log in to my web app, session is created
> > 2. browse around in my web app
> > 3. close browser, do not logout
> > 4. Start browser up again
> > 5. try and log in
> > 6. Do not allow login, have user 'reconnect' to the old session
> > created in step 1.
> >
> > I have written quite a few web based apps, and I know of no way to
> > kill the session at step 3.
> pretty easy, set session timeout to 1 minute and integrate a hidden
> frame or javascript-loaded-image in your application that reloads all
> 30 seconds. 60-99 seconds after the user closed his browser the
> session would be killed.

Or, cou could add a static hashmap to your Servlet (or a bean if using JSPs)
where you simply add the sessions with every request. You would have to put
an attribute implementing javax.servlet.http.HttpSessionActivationListener
in each session though, that removes the session from your hashmap when the
session is expired or you will end up with having many invalid entries in
your hashmap. (And I don't even know what happens if you keep the references
to those Session objects when they are recycled by tomcat)
We do this to keep track of our sessions within the application.

A quick google revealed with
example code.

Once you have the list of sessions, it should be easy to expire the old ones
for the same user...

Though this will allow you to have only one session per user, it will not
kill the session immediately after step 3.
Using the reload as described above will do that, but prevents you from
having a security-logout if the user just has his browser open all day
(without actually doing anything).


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message