Is there a way to determine the number of active sessions created from a given client IP address?
Asked
Active
Viewed 2.2k times
3 Answers
15
The standard Servlet API doesn't offer facilities for that. Best what you can do is to maintain a Map<HttpSession, String> yourself (where the String is the IP address) with and check on every ServletRequest if the HttpSession#isNew() and add it to the Map along with ServletRequest#getRemoteAddr(). Then you can get the amount of IP addresses with an active session using Collections#frequency() on Map#values(). You only need to ensure that you remove the HttpSession from the Map during HttpSessionListener#sessionDestroyed().
This all can be done in a single Listener implementing the ServletContextListener, HttpSessionListener and ServletRequestListener.
Here's a kickoff example:
public class SessionCounter implements ServletContextListener, HttpSessionListener, ServletRequestListener {
private static final String ATTRIBUTE_NAME = "com.example.SessionCounter";
private Map<HttpSession, String> sessions = new ConcurrentHashMap<HttpSession, String>();
@Override
public void contextInitialized(ServletContextEvent event) {
event.getServletContext().setAttribute(ATTRIBUTE_NAME, this);
}
@Override
public void requestInitialized(ServletRequestEvent event) {
HttpServletRequest request = (HttpServletRequest) event.getServletRequest();
HttpSession session = request.getSession();
if (session.isNew()) {
sessions.put(session, request.getRemoteAddr());
}
}
@Override
public void sessionDestroyed(HttpSessionEvent event) {
sessions.remove(event.getSession());
}
@Override
public void sessionCreated(HttpSessionEvent event) {
// NOOP. Useless since we can't obtain IP here.
}
@Override
public void requestDestroyed(ServletRequestEvent event) {
// NOOP. No logic needed.
}
@Override
public void contextDestroyed(ServletContextEvent event) {
// NOOP. No logic needed. Maybe some future cleanup?
}
public static SessionCounter getInstance(ServletContext context) {
return (SessionCounter) context.getAttribute(ATTRIBUTE_NAME);
}
public int getCount(String remoteAddr) {
return Collections.frequency(sessions.values(), remoteAddr);
}
}
Define it in web.xml like follows:
<listener>
<listener-class>com.example.SessionCounter</listener-class>
</listener>
You can use it in any servlet like follows:
SessionCounter counter = SessionCounter.getInstance(getServletContext());
int count = counter.getCount("127.0.0.1");
BalusC
- 1,082,665
- 372
- 3,610
- 3,555
-
I would have used a WeakHashMap on Sessions do avoid to listen to sessions. I was thinking about a `Map
>` first, but handle manually sessions destruction seems pretty heavy for me. – Colin Hebert Sep 09 '10 at 19:18 -
@Colin: You're then dependent on the eagerness of the GC. This makes it all less solid. It's not a cache or so. – BalusC Sep 09 '10 at 19:21
-
2This is an old post that hasn't been updated in a while -- but to avoid problems for future readers it's worth pointing out that this example while good in most respects is not thread-safe. HashMap is not a thread-safe data-structure and this example is not doing anything to synchronize accesses to HashMap which means doing this in the real-world will lead to concurrency-issues. Just a warning; any implementation should use a different data-structure or else should synchronize access to the sessions-variable. – Bane Feb 17 '11 at 18:39
-
@BalusC: nice fix. Not having had much need for a concurrent hashmap-type structure (up until now), I wasn't immediately sure of what the best suggestion was. A little research confirms that ConcurrentHashmap is a great choice. Thank you for the education -- and the skeleton-class that I'll be borrowing for a problem I have. :) – Bane Feb 17 '11 at 19:49
-
@BalusC: oops, I believe there's still a concurrency-bug in this solution. In #requestInitialized() the call to sessions.put() is too simplistic -- that method does not appear to be atomic. Instead it should be sessions.putIfAbsent(). The JavaDocs for #putIfAbsent state that it is "[similar to check-then-put-then-get except] the action is performed atomically". The docs for #put make no claim to atomicity. See http://dmy999.com/article/34/correct-use-of-concurrenthashmap for more info. – Bane Feb 17 '11 at 20:07
-
@Bane: Fair point as well, but could there be multiple sessions with same ID from different IP addresses inside same servletcontainer then? :) I had more the potential concurrency issues with `sessions.values()` in mind, not in `sessions.put()`. – BalusC Feb 17 '11 at 20:16
-
@BalusC: ah, very good point! In this particular use-case, you are dead-on. Sorry for my oversight. In the case of #values I was a bit worried about that too but figured as long as #getCount wasn't being depended upon for anything except mere reporting, it's probably safe enough; agree? – Bane Feb 17 '11 at 20:28
-
@Bane: Yes. Even then, the consequences of using `HashMap` instead of `ConcurrentHashMap` would still be very minimal. You only risk getting an inaccurate report. – BalusC Feb 17 '11 at 20:38
-
Interesting approach, so let's say you want to avoid hacker attacks that send multiple requests (ending in multiple session) per second. You could reject requests by only accepting 3 sessions per IP. However: how do you deal with large companies where you might have 100 users accessing your site, each using your site normally, all have the same IP (because the whole company is using the same outgoing IP)... Any solution proposal to that? – basZero Oct 06 '15 at 10:56
-
-
1@MathieuCastets: because it's application scoped, not JVM/class scoped. – BalusC Nov 06 '15 at 09:50
-
1
I needed to get this information quickly without new deploys. It can be done by altering JSP and add the following snippet. (Only sessions with activity will get the value set):
<%
// Set user agent and ip in session
session.setAttribute("agent", request.getHeader("user-agent") + "@" + request.getRemoteAddr());
%>
Then create a groovy script to query jmx:
import javax.management.remote.*
import javax.management.*
import groovy.jmx.builder.*
// Setup JMX connection.
def connection = new JmxBuilder().client(port: 4934, host: '192.168.10.6')
connection.connect()
// Get the MBeanServer.
def mbeans = connection.MBeanServerConnection
def mbean = new GroovyMBean(mbeans, 'Catalina:type=Manager,host=localhost,context=/')
println "Active sessions: " + mbean['activeSessions']
def sessions = mbean.listSessionIds().tokenize(' ');
def ips = [:];
def agents = [:];
sessions.each
{
def agentString = mbean.getSessionAttribute(it, "agent");
if(agentString != null)
{
agent = agentString.tokenize('@');
}
else
{
agent = ['unknown', 'unknown'];
}
if(agents[agent[0]] == null)
{
agents[agent[0]] = [];
}
agents[agent[0]] += [it];
if(ips[agent[1]] == null)
{
ips[agent[1]] = [];
}
ips[agent[1]] += it;
};
println "Ips"
ips = ips.sort { -it.value.size }
ips.each
{
ip, list ->
println "${ip}\t${list.value.size}";
//println list;
//println "";
}
println ""
println "Agents"
agents = agents.sort { -it.value.size }
agents.each
{
agent, list ->
println "${agent}\t${agents[agent].size}";
//println list;
//println "";
}
Result
Active sessions: 729
Ips
unknown 102
68.180.230.118 11
80.213.88.107 11
157.55.39.127 9
81.191.247.166 2
...
Agents
Mozilla/5.0 (compatible; MJ12bot/v1.4.5; http://www.majestic12.co.uk/bot.php?+) 117
unknown 102
Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm) 55
Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp) 29
...
Brimstedt
- 3,020
- 22
- 32
-1
Very nice example Balus C. We solved this problem by using an Observer Listener. Here is nice example/tutorial for the same.
http://www.big-oh.net/BigOhSoftwareWeb/content/tutorials/requestObserverListener.jsp
Just thought it will be helpful to other visitors. :)
Edit : *** April 2017 **
Looks like the http://www.big-oh.net/ site that contains the source above is dead. Here is the source from web.archive.org. Also the added the file referred webpage in github gist. Gist source and its html preview
Ellipsis
- 117
- 7