I´m working on a web application with Java EE 6 (JSF CDI EJB) which should not allow concurrent logins (same user and pass).
What I like is :
If a user logs in twice the first session needs to be invalidated and the old session data (incl. all CDI Beans with SessionScope or other scopes like WindowScope from Apache CODI ) gets transferred to the new session.
It's something like a wanted session hijacking approach :-)
There is no inherent mechanism for this in Java EE 6.
As I can't imagine that you want to transfer something like an ongoing usecase (e.g. an open checkout-process) from one session to another, I suggest that you simply track the user's GUI state.
RESTful URLs sound like an ideal approach for this. Persist the last user URL / user action (e.g. www.myapp.com/orders/new/12) and reopen it on a new login.
If you don't want to persist this in the DB, an application-scoped map userid / url might be the KISS way.
You could use an stateless bean for the user, so every time one should try to log in / re-log in, the current session gets invalidated (at the beginning of the log in procedure)
consider this kind of approach :
try {
session = request.getSession(); //the request is passed by another page or action
if(session.getAttribute("user") != null) {
//your code to forward or handle the existing user (re-log in/ do nothing etc.)
}
I solved this issue with the help of a filter
public class SessionReplicationFilter implements Filter {
@Inject
SessionReplicationManager manager;
public SessionReplicationFilter() {
}
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException {
//Process chain first
if (chain != null) {
chain.doFilter(request, response);
}
//check http request
if (request instanceof HttpServletRequest) {
HttpServletRequest httpRequest = (HttpServletRequest) request;
// Retrieve the session and the principal (authenticated user)
// The principal name is actually the username
HttpSession session = httpRequest.getSession();
Principal principal = httpRequest.getUserPrincipal();
if (principal != null && principal.getName() != null && session != null) {
manager.checkExistingSession(principal.getName(), session))
}
}
}
@Override
public void init(FilterConfig filterConfig) throws ServletException {
}
@Override
public void destroy() {
}
}
The Manager looks following
@ApplicationScoped public class SessionReplicationManager {
private Map<String, HttpSession> map = new ConcurrentHashMap<String, HttpSession>();
public boolean checkExistingSession(String user, HttpSession session) {
if (map.keySet().contains(user)) {
if (!session.getId().equals(map.get(user).getId())) {
System.out.println("User already logged in ");
HttpSession oldSession = map.get(user);
// copies all attributes from the old session to the new session (replicate the session)
Enumeration<String> enumeration = oldSession.getAttributeNames();
while (enumeration.hasMoreElements()) {
String name = enumeration.nextElement();
System.out.println("Chaning attribut " + name);
session.setAttribute(name, oldSession.getAttribute(name));
}
// invalidates the old user session (this keeps one session per user)
oldSession.invalidate();
map.put(user, session);
return true;
}
} else {
System.out.println("Putting "+user+" into session cache");
map.put(user, session);
return false;
}
return false;
}
}
It works very well with CoDI ViewScoped annotated Beans
If the first user gets invalidated every (AJAX) request causes a session expired exception which could easily be handled even with a restore session button
Only minor problem with the viewscoped beans is, that they get a new view id. By changing them back to the origin one everything works fine.
Things I need to add :
Missing in this comment :
Regards