Return-Path: X-Original-To: apmail-tomcat-users-archive@www.apache.org Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 1208D9855 for ; Fri, 13 Jan 2012 09:26:31 +0000 (UTC) Received: (qmail 44981 invoked by uid 500); 13 Jan 2012 09:11:06 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 42720 invoked by uid 500); 13 Jan 2012 09:10:49 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 42111 invoked by uid 99); 13 Jan 2012 09:10:35 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 13 Jan 2012 09:10:35 +0000 X-ASF-Spam-Status: No, hits=1.5 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of cjderham@gmail.com designates 209.85.215.45 as permitted sender) Received: from [209.85.215.45] (HELO mail-lpp01m010-f45.google.com) (209.85.215.45) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 13 Jan 2012 09:10:29 +0000 Received: by lags15 with SMTP id s15so219658lag.18 for ; Fri, 13 Jan 2012 01:10:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:reply-to:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:content-type; bh=8T+uf7yFIipAMTAELcw9UwFYGsAivMj7u+TEaddlnDU=; b=x28hUEXeFPrZqvT+bE29h+FMGGxzN9izbBzYY8D9/ZMFlp0FLMKZr/gjbcCrXphgUM YA7+KO4+8b/qIdwEXWT7TSSLd1ijDBISByK7uVmb03PCGa5G2diEW3/k5TcVYA0wvJot i/Bv2zt2iVVgd4lq/Lxics+aTZLgwLjP9NV5E= Received: by 10.112.36.132 with SMTP id q4mr639lbj.3.1326445806319; Fri, 13 Jan 2012 01:10:06 -0800 (PST) MIME-Version: 1.0 Reply-To: chris@derham.me.uk Sender: cjderham@gmail.com Received: by 10.112.43.197 with HTTP; Fri, 13 Jan 2012 01:09:44 -0800 (PST) In-Reply-To: <4F0FE08B.1030503@ice-sa.com> References: <9AC7CB8C92B3AB47B6F02319FB5577D30CC046@EAGE-ERFPMBX26.ERF.thomson.com> <4F0FE08B.1030503@ice-sa.com> From: chris derham Date: Fri, 13 Jan 2012 22:09:44 +1300 X-Google-Sender-Auth: zr3DapqJZ4NwWCb5-aVf3NU9XYQ Message-ID: Subject: Re: Strategy to prohibit concurrent users authenticated through Tomcat To: Tomcat Users List Content-Type: multipart/alternative; boundary=e0cb4efe325419783304b6653b43 --e0cb4efe325419783304b6653b43 Content-Type: text/plain; charset=ISO-8859-1 > > I am using Tomcat 7.0.11 and use Form Authentication (via >> j_security_check) to authenticate through the Tomcat server. >> Currently, two users with the same username can log into my application >> from two different computers and concurrently access the app. >> Is there a way to prohibit a user from authenticating if a user with the >> same username has previously authenticated and still has an active session? >> >> We use spring security in a web app that is deployed in tomcat. It has built in support for this - you can configure to either disallow subsequent sessions, or kill the first session and allow subsequent sessions. This should explain it better than I can http://static.springsource.org/spring-security/site/docs/3.0.x/reference/session-mgmt.html. Don't know how big a task it would be for you to move to this, but it works really well for us If you provide a bit more information about what you are trying/need to do, > someone my come up with a better idea. > For example, what is the real problem - in your application - when two > people at different computers login with the same user-id ? > > +1 Chris --e0cb4efe325419783304b6653b43--