thomas908
asked on
Kill the old session
Suppose user has logs in the site (IE) using a username "abc". Then he opens another window in the same machine and logs in with the same username ("abc"). Currrently what is happening is that user is able to work in both the sessions. But our project requirement is that the previous session should be killed. Is there any way I can do this.
SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
However,
It will break if it is not a new instance of IE, if you use the File > New Windows, as the session is shared, this logic will break.
David
It will break if it is not a new instance of IE, if you use the File > New Windows, as the session is shared, this logic will break.
David
Problem is two IE instances running on the same box is really no different to two instances running on different boxes.
is it two sessions from same machine thats a problem or is it the "SAME USER" in two sessions thats the problem??
if the requirement is that same user can not log in to two sessions as a given time than the easy way is to check whether the same user id have any current session in the system. if it does than you should be killing it...
how you want to track the user id is a problem that can be solved in different ways ( having a temporary table is one example)..
if the requirement is that same user can not log in to two sessions as a given time than the easy way is to check whether the same user id have any current session in the system. if it does than you should be killing it...
how you want to track the user id is a problem that can be solved in different ways ( having a temporary table is one example)..
ASKER
>>https://www.experts-exchange.com/questions/20507815/session-invalidate.html?query=invalidate+in+session&clearTAFilter=true
My problem is complete different from this. i have to invalidate a session from another session (same user, 2 windows[windows are NOT opened by ctr+n, session in first window needs to be invalidated] )
My problem is complete different from this. i have to invalidate a session from another session (same user, 2 windows[windows are NOT opened by ctr+n, session in first window needs to be invalidated] )
If it is not Ctrl+N, it means that the session is not shared, I think that my solution is still doable. I have never tested it by myself but logically it is possible. Am I right? :)
David
David
ASKER
>> depends how they open the other window. If its a new instance of IE then it is a completely different session.
Other window is opened by clicking on the IE icon in the taskbar, hence 2 different sessions.
Other window is opened by clicking on the IE icon in the taskbar, hence 2 different sessions.
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
>>then you'll need to maintain a list of sessions. perhaps using a SessionListener
I can maintain a list of sessions but how to logout previous session of user from current session.
I can maintain a list of sessions but how to logout previous session of user from current session.
once you've found the session call:
session.invalidate();
session.invalidate();
stamani have given a very good link 3 posts above. I think that should be solving your problem..
ASKER
>> stamani have given a very good link 3 posts above. I think that should be solving your problem..
Thanks
Stamani's link works but the problem is that is also works when the user logs in with the same name from differnet machines. We don't want it to work in that case (as the behaviour is different in that case). When the same user logs from different machine the second one is disallowed and first one continues to be logged in. So for the second user MaxUserException is thrown. This is automatically done by the proprietory framework that we are using and is not done at the portal end. We only need to handle the above mentioned problem at portal end
Thanks
Stamani's link works but the problem is that is also works when the user logs in with the same name from differnet machines. We don't want it to work in that case (as the behaviour is different in that case). When the same user logs from different machine the second one is disallowed and first one continues to be logged in. So for the second user MaxUserException is thrown. This is automatically done by the proprietory framework that we are using and is not done at the portal end. We only need to handle the above mentioned problem at portal end
SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
Another way is to set a cookie on the response with something unique in it..
if the request contains the cookie in it, you would know that its coming from the same machine ( you will have to couple this technique with stmani's trick of tracking a session)..
if the request contains the cookie in it, you would know that its coming from the same machine ( you will have to couple this technique with stmani's trick of tracking a session)..
SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
<%@ taglib prefix="c" uri="http://java.sun.com/jstl/core" %>
<c:remove var='username' scope='session' />
<c:remove var='username' scope='session' />
ASKER
Thanks everyone.
no worries :)
;). Glad I could help
David
David
The accepted answer here points to a very old page. We have a better solution now.
suggested by objects
>using a SessionListener
suggested by objects
>using a SessionListener
>>the accepted answer here points to a very old page. We have a better solution now.
suggested by objects
>using a SessionListene
look carefully to the question. You have to maintain a list of sessions to do the job. SessionListener helps to some extent but not all ...
suggested by objects
>using a SessionListene
look carefully to the question. You have to maintain a list of sessions to do the job. SessionListener helps to some extent but not all ...
acton, you are right.
Really all that is necessary is to include the following on JSP ( taken from codeguru's code at the link at accept answer above).
<%
Hashtable activeSessions = (Hashtable)application.get Attribute( "activeSes sions");
if(activeSessions == null)application.setAttrib ute("activ eSessions" ,new Hashtable());
String userName = request.getParameter("user Name"); //Should have a session attribute but for testing I use parameter.
if(userName == null)userName = "no name";
HttpSession activeSession = (HttpSession)activeSession s.get(user Name);
if(activeSession != null && session != activeSession){
activeSession.invalidate() ;
activeSessions.put(userNam e,session) ;
} else activeSessions.put(userNam e,session) ;
%>
Really all that is necessary is to include the following on JSP ( taken from codeguru's code at the link at accept answer above).
<%
Hashtable activeSessions = (Hashtable)application.get
if(activeSessions == null)application.setAttrib
String userName = request.getParameter("user
if(userName == null)userName = "no name";
HttpSession activeSession = (HttpSession)activeSession
if(activeSession != null && session != activeSession){
activeSession.invalidate()
activeSessions.put(userNam
} else activeSessions.put(userNam
%>
Sounds like you need to track all sessions, and the IP address that created them and check for any existing session with same ip. This however won't work thru firewalls etc as you won't know the actual ip of your user.