0

I hope my question on the title make sense, if not, let say: machine A, via the web browser I log in as admin, I go to machine B, and log in as admin, the web browser in machine A should force a logout on user admin. I gave this some thought, and I think it will be ugly if I try to manual implement this. I have a feeling that this can be done in Glassfish.

I use Java EE 6 + Glassfish v3.0.1. Authentication and authorization are implemented via jdbcRealm set up in Glassfish

Thang Pham
  • 38,125
  • 75
  • 201
  • 285
  • 1
    Do you control both machines? If not, are the machines both in the same domain, and is B issuing cookies for the shared domain rather than itself? If the answer to both questions is no, then this can't be done. – Tom Anderson Sep 06 '10 at 20:42
  • 1
    @Tom: I think he actually meant "client machine", not "server machine" here. @Harry: similar question: http://stackoverflow.com/questions/2372311/jsf-how-to-invalidate-an-user-session-when-he-logs-twice-with-the-same-credentia – BalusC Sep 06 '10 at 21:44
  • @BalusC: Aaah, yes, my misunderstanding, i see. – Tom Anderson Sep 06 '10 at 21:59
  • Thank you so much BalusC and sorry for the confusion Tom. +1 – Thang Pham Sep 07 '10 at 00:51
  • @BalusC: Thanks, I figure it out. Just out of curiosity, if I want to create a notification saying that you have been log out because you log in somewhere else, how would I come about to accomplish that? – Thang Pham Sep 07 '10 at 15:37
  • 1
    You'd like to check if the user has requested a session ID which is after all invalid. See my answer on [this question](http://stackoverflow.com/questions/3306228/how-to-differentiate-between-logout-and-session-expired). – BalusC Sep 07 '10 at 15:47

1 Answers1

5
  • create and map (using <listener>..</listener> in web.xml) a HttpSessionListener
  • on sessionCreated(..) store a reference to the session in the ServletContext, in a Map<String, Session>
  • when the user logs-in, get the Map from the ServletContext and see if any session there has the same user / userId as a session attribute.
  • if there is, session.invalidate() it.
  • if you want to use this in a cluster, you can either use a database to store the information so that it is accessible from everywhere, or use a distributed cache (JBoss Cache, Ehcache)
Bozho
  • 588,226
  • 146
  • 1,060
  • 1,140
  • 1
    Maybe a Map rather than a set, to allow easy lookups by userid rather than having to iterate. – Tom Anderson Sep 06 '10 at 22:00
  • @Thorbjørn Ravn Andersen, if the solution has to involve Java, the map must be shared across all JVMs (so possibly Terracotta or Coherence might help). But such a solution can be considered "heavy" if an object caching solution is used for only one feature. It might in fact, turn out to be easier to store the list in a database, and lazily-expire sessions. – Vineet Reynolds Sep 07 '10 at 08:36
  • Can you give me some sample codes? The above explanation even though are extremely good, but I am a bit new to this business, so lots of them dont even make much sense to me. Thank you and sorry for the trouble – Thang Pham Sep 07 '10 at 13:30
  • 2
    @Harry: basically, you need to replace `Map` (as per Bozho's example) by a (shared) database table and fire SQL queries instead of `Map#get()`, `Map#remove()` and so on. – BalusC Sep 07 '10 at 13:35
  • Or a distributed cache. I added these options to the answer – Bozho Sep 07 '10 at 13:43