Solved

Avoiding Same User Logging in Multiple Systems

Posted on 2006-11-28
11
172 Views
Last Modified: 2010-03-31
Hi Experts,

I have built a web application using J2EE. I would like to avoid same user logging in multiple systems.

Please advice.

Regards
Vijay T. Prabakar
0
Comment
Question by:CIPL-Senthil
11 Comments
 
LVL 35

Expert Comment

by:girionis
ID: 18027315
Is your application deployed within a cluster? If yes then the session should be replicated across the cluster and you shouldn't need to do anything in order to assure the user won't login twice.

If not the best way is to always send a cookie with the user request. In this cookie you should have information about the user, for example something like login=true. Then upon each request check this cookie. If the login is true then the user is logged in, if not show the login page.
0
 

Author Comment

by:CIPL-Senthil
ID: 18027379
Hi girionis,

Say, a user with login name 'abc' and password 'abc' logs in machine1 and without logging out of machine1 the same user logs in machine2 with same login name and password ie., 'abc' and 'abc'.

How can I avoid this?

Please advice.

Regards
Vijay T. Prabakar
0
 
LVL 35

Accepted Solution

by:
girionis earned 50 total points
ID: 18027457
Is the login in the two machines happening from the same browser in the same computer? If yes then you can control it by either checking the session or the cookies. If not, then there is no way to do it.
0
 
LVL 10

Assisted Solution

by:ADSLMark
ADSLMark earned 50 total points
ID: 18027471
You can use a session key. If the user logins into the system, you create a session key and store it in the database at the user's record.

For example:
username: abc
password: <hashed password>
sessionkey: <some hash key>

Next if the user communicates with the system, the application should sent along the session key and you should check the session key on the server. If the key does not equal the key stored with that persons username, then he is not logged on the system anymore. If the user tries to login from another machine2, then the sessionkey will change so the previous situation will occur for the user at machine1.

Using session keys also improves security, since you do not need to sent over the user+password every time (which is a bit risky since if the password (even an hashed password) is intercepted, then a evil person can brute force this password and always use it to logon the system), brute forcing a session key is useless and session keys only last for one session. You can even make it more secure to renew the session key every x minuts.

Good luck.
Mark
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 12

Assisted Solution

by:enachemc
enachemc earned 50 total points
ID: 18027724
keep all your sessions in a weak hash map, and if a users makes a second log on, retrieve the previous session from the map and invalidate it.
0
 
LVL 35

Expert Comment

by:girionis
ID: 18028398
I think the issue is for the user *not to be* prompted for a second login if he is already logged in.
0
 
LVL 6

Assisted Solution

by:SamsonChung
SamsonChung earned 50 total points
ID: 18029245
that depends on the actual implementation.

I once wrote a program that goes to a generic user Table.

and fill a column of 'logged_in_session' +1, and another column called 'TotalAllowed'

Now, my codes would simply validate to see if logged_in_session >= TotalAllowed.

if that is false, continue with login.

else error message.

0
 
LVL 2

Assisted Solution

by:harshgrover
harshgrover earned 50 total points
ID: 18031253
i would agree with SamsonChung's idea...another implementation could also have a boolean field in the table which stores the User info. Everytime the user signs on, the boolean field could be set to true. and if the field is true, you could prompt an error message to the user indicating that he is already signed on. this would not cause any performance degrade too, since you would just be retrieving another field from the same user record in the database.
0
 
LVL 12

Expert Comment

by:enachemc
ID: 18032152
yes, make a DB query as oposed to keeping a hashmap. you make the calculations, and if you are in advantage .... make them again.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Introduction This article is the first of three articles that explain why and how the Experts Exchange QA Team does test automation for our web site. This article explains our test automation goals. Then rationale is given for the tools we use to a…
Introduction This article is the second of three articles that explain why and how the Experts Exchange QA Team does test automation for our web site. This article covers the basic installation and configuration of the test automation tools used by…
Viewers learn about the “for” loop and how it works in Java. By comparing it to the while loop learned before, viewers can make the transition easily. You will learn about the formatting of the for loop as we write a program that prints even numbers…
This tutorial will introduce the viewer to VisualVM for the Java platform application. This video explains an example program and covers the Overview, Monitor, and Heap Dump tabs.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now