Link to home
Create AccountLog in
Avatar of thomas908
thomas908

asked on

Kill the old session

Suppose user has logs in the site (IE) using a username "abc". Then he opens another window in the same machine and logs in with the same username ("abc"). Currrently what is happening is that  user is able to work in both the sessions. But our project requirement is that the previous session should be killed. Is there any way I can do this.
Avatar of Mick Barry
Mick Barry
Flag of Australia image

depends how they open the other window. If its a new instance of IE then it is a completely different session.
Sounds like you need to track all sessions, and the IP address that created them and check for any existing session with same ip. This however won't work thru firewalls etc as you won't know the actual ip of your user.
SOLUTION
Avatar of suprapto45
suprapto45
Flag of Singapore image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
However,

It will break if it is not a new instance of IE, if you use the File > New Windows, as the session is shared, this logic will break.

David
Problem is two IE instances running on the same box is really no different to two instances running on different boxes.
is it two sessions from same machine thats a problem or is it the "SAME USER" in two sessions thats the problem??

if the requirement is that same user can not log in to two sessions as a given time than the easy way is to check whether the same user id have any current session in the system. if it does than you should be killing it...

how you want to track the user id is a problem that can be solved in different ways ( having a temporary table is one example)..
Avatar of thomas908
thomas908

ASKER

>>https://www.experts-exchange.com/questions/20507815/session-invalidate.html?query=invalidate+in+session&clearTAFilter=true

My problem is complete different from this. i have to invalidate a session from another session (same user, 2 windows[windows are NOT opened by ctr+n, session in first window needs to be invalidated] )
If it is not Ctrl+N, it means that the session is not shared, I think that my solution is still doable. I have never tested it by myself but logically it is possible. Am I right? :)

David
>> depends how they open the other window. If its a new instance of IE then it is a completely different session.

Other window is opened by clicking on the IE icon in the taskbar, hence 2 different sessions.
ASKER CERTIFIED SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
>>then you'll need to maintain a list of sessions. perhaps using a SessionListener
I can maintain a list of sessions but how to logout previous session of user from current session.
once you've found the session call:

session.invalidate();
stamani have given a very good link 3 posts above. I think that should be solving your problem..
>> stamani have given a very good link 3 posts above. I think that should be solving your problem..
Thanks
Stamani's link works but the problem is that is also works when the user logs in with the same name from differnet machines. We don't want it to work in that case (as the behaviour is different in that case). When the same user logs from different machine the second one is disallowed and first one continues to be logged in. So for the second user MaxUserException is thrown. This is automatically done by the proprietory framework that we are using and is not done at the portal end. We only need to handle the above mentioned problem at portal end
SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
Another way is to set a cookie on the response with something unique in it..
if the request contains the cookie in it, you would know that its coming from the same machine ( you will have to couple this technique with stmani's trick of tracking a session)..
SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
<%@ taglib prefix="c" uri="http://java.sun.com/jstl/core" %>
<c:remove var='username' scope='session' />
Thanks everyone.
no worries :)
;). Glad I could help

David
The accepted answer here  points to a very old page.  We have a better solution now.  
suggested by objects
>using a SessionListener
>>the accepted answer here  points to a very old page.  We have a better solution now.  
suggested by objects
>using a SessionListene

look carefully to the question. You have to maintain a list of sessions to do the job. SessionListener helps to some extent  but not all ...

acton, you are right.  
Really all that is necessary is to include the following on  JSP ( taken from codeguru's code at the link at accept answer above).

<%
 Hashtable activeSessions = (Hashtable)application.getAttribute("activeSessions");
 if(activeSessions == null)application.setAttribute("activeSessions",new Hashtable());
 String userName = request.getParameter("userName"); //Should have a session attribute but for testing I use parameter.
 if(userName == null)userName = "no name";              
 HttpSession activeSession = (HttpSession)activeSessions.get(userName);
 if(activeSession != null && session != activeSession){
                              activeSession.invalidate();
                              activeSessions.put(userName,session);
 } else activeSessions.put(userName,session);    
%>