only one client request at a time

I have a requirement that i should not let the same client make requests from different if i have logged in one system i should not be allowed to login in another just like how yahoo messenger works. So we all know that we use session to maintain conversation between client requests. How will the session then check that the same client is making request from two different browsers.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Is the requirement to prevent multiple logins to the same account from multiple browsers (and would you also want to prevent multiple machines from logging in to the same account)? Or is the requirement to prevent a single machine from being able to simultaneously login to multiple accounts? Is it ok if a client has multiple browser windows open making requests?

From the JSP side of things, you will need a global object that you can store (client, session) pairs in (I'd tend to us a map of some sort). Which will allow you to prevent multiple sessions for a single client.

How to identify a client is the real trick and will depend on how you answered the first question. If it is really the machine you want, then the IP address is probably the best answer you're going to get. If it is just multiple simultaneous logins you want to prevent, then the client is really the login info. So after they send their login info, check if they already exist in your table and you can either reject the new login, discard the old session, or just treat the two sessions as one session.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Murali MurugesanFull stack Java developerCommented:
Have something like LOG table in the database.

On every successful login have a record inserted in it or just have a flag in existing table to indicate user logged in or not.

On every login if the logged_in flag is NO then allow user to enter after updating it to "YES". So if the same user id is entered from different machine or browser just check if tht user id is logged in. If already YES the give him a message "Already logged in".

Also implement HttpSessionListener and in OnSessionDestroyed just make sure the db table is updated to "NO" for logged_in flag. Bcoz there are chances that user can just close the browser instead of logout.

Tomas Helgi JohannssonCommented:

You could try this

in combination with the logged in/not logged in in the session.
Usually the IP address is different.
However if multiple users are behind the same firewall and one static IP-Address I believe
that you would get the same IP-Address from multiple browsers.
To solve that problem you have the opportunity to look at some internal session attributes

as well as create your own attributes to handle this.

   Tomas Helgi
Become a Certified Penetration Testing Engineer

This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.

SunScreenCertAuthor Commented:
But it is same system but not allowing multiple browsers
Tomas Helgi JohannssonCommented:

Like Murali says you can solve this by creating a "LOGIN" table that hold the username and sessionID of the session (and even the clients RemoteAddress).
When the session ends or timeout you delete the users record from the table.
The check should be on both the username and/or the sessionid to the user and/or sessionId that is trying to logg on.
So if the user is already logged on and is trying to log on from another computer/browser you simply tell the server to end the session that is tied to the
current "logged in" browser and logg in the user that is currently trying to logged in.

You can see similar functionality in the Windows Live Messenger and other similar clients.

   Tomas Helgi
Tomas Helgi JohannssonCommented:
Forgot to mention that a simple HttpSessionListener could do this

  Tomas Helgi
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Java EE

From novice to tech pro — start learning today.