tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier>
Subject Re: Strategy to prohibit concurrent users authenticated through Tomcat
Date Fri, 13 Jan 2012 07:43:07 GMT wrote:
> I am using Tomcat 7.0.11 and use Form Authentication (via j_security_check) to authenticate
through the Tomcat server.
> Currently, two users with the same username can log into my application from two different
computers and concurrently access the app.
> Is there a way to prohibit a user from authenticating if a user with the same username
has previously authenticated and still has an active session?
There is always a way, but not necessarily an easy way.
I do not know of any standard authentication scheme which would prevent that.

Maybe you should first reconsider your basic scheme : in my experience, it is always a bad

idea in the end, in terms of security and in terms of audit (and in many cases in terms of

application logic), to use "group" id's (iow allowing more than one physical person to 
login under a common user-id).  The main point is : when something happens, you never know

who did it (be that for support, debugging, statistics or security reasons).
It also interferes with things like "personal settings" etc..

I know of /applications/ which control that.  For example, one database system which I use

allows to set for each user-id a "maximum simultaneous login count" which limits the 
user's concurrent sessions to 1..n (settable by the administrator).

Another way would be to use a servlet filter to keep a count or a flag.  But it's tricky,

because you need to store that somewhere, and you need to make sure that whatever happens

(e.g. an application or user error) this count always gets reset when a user's session is

terminated (even unexpectedly).

If you provide a bit more information about what you are trying/need to do, someone my 
come up with a better idea.
For example, what is the real problem - in your application - when two people at different

computers login with the same user-id ?

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message