Java Remote kill user session

Question

How I can kill a user sessionId from a web administration panel? I mean, I have multiple users entering a website with jboss 4.2 and struts 1.3 and I want to close a session of some of these users remotely from same website. What is the best strategy?

One possible solution is to associate the JSESSIONID to the user in the database and set the JSESSIONID. Then for each transaction to ask if I remove user session.

I try to handle it by using context.xml in jboss side with FileStore session, but if I delete the session file (eg 2B6609A6CA38E35EEDF21BF3F3253BC8.session) the session is still active.

<Manager className="org.apache.catalina.session.PersistentManager" saveOnRestart="false">
    <Store  className="org.apache.catalina.session.FileStore" directory="\tmp\">  
    </Store>
 </Manager>

Any suggestions? thanks

BalusC · Answer 1 · 2021-04-29T08:51:01.140

2

One of the ways is to just collect those sessions yourself with help of a HttpSessionListener:

public class SessionManager implements HttpSessionListener {

    private static Map<String, HttpSession> sessions = new ConcurrentHashMap<String, HttpSession>();        

    @Override
    public void sessionCreated(HttpSessionEvent event) {
        sessions.put(event.getSession().getId(), event.getSession());
    }

    @Override
    public void sessionDestroyed(HttpSessionEvent event) {
        sessions.remove(event.getSession().getId());
    }

    public static boolean invalidate(String sessionId) {
        HttpSession session = sessions.get(sessionId);

        if (session != null) {
            session.invalidate();
            return true;
        } else {
            return false;
        }
    }

}

It allows you for doing something like this in your webadmin panel's code:

SessionManager.invalidate(someSessionId);

Perhaps you're already using a HttpSessionListener to sync the sessions with the database. That would be totally superfluous this way then.

edited Apr 29 '21 at 08:51

answered Aug 17 '11 at 22:34

BalusC

1,082,665
372
3,610
3,555

Speaking from experience, using a Map of HttpSession objects is good idea until the application server is part of a domain, or starts serializing and deserializing sessions. At that time, using a database table to manage logged in user IDs is better; the same approach of using a HttpSessionListener will hold good. – Vineet Reynolds Aug 17 '11 at 23:13
@Vineet: makes sense. How would you invalidate them then? Checking with a filter on every request if the user is supposed to be logged-out? – BalusC Aug 18 '11 at 00:31
Yes, that database call on every request is unfortunate. It can be done in a filter. The other choice is to place the Map in a distributed cache like EHCache or Coherence. I'm not sure about the behavior when the container serializes/deserializes HttpSession instances that are also on the cache, and whether the Map will contain stale instances. I beleive EHCache and Coherence would handle the serialization/deserialization aspect, but I'm not sure. – Vineet Reynolds Aug 18 '11 at 00:39
@Vineet: a distributed cache sounds better. But after all, you're then basically duplicating the container's own job of managing the mapping of all sessions. By the way, using JMX as suggested by the other answer ties you to the container used, but it's likely the most robust way. I found a better detailed answer here: http://stackoverflow.com/questions/744021/is-it-a-possible-to-invalidate-an-individual-session-in-jboss-through-jmx – BalusC Aug 18 '11 at 00:46
Since the servlet spec doesn't address aspects like querying the container to obtain container-managed objects like HttpSessions, the container's work would being duplicated at some level; in fact, when you use Terracotta or Coherence, the HttpSession implementation itself would be provided by the cache provider rather than by the container. I would agree that JMX might be more robust, but I'm not aware of whether that works in a cluster; unless the JMX bean of the container queries the serialization store, it would not work. – Vineet Reynolds Aug 18 '11 at 01:04
Well, the idea is to limit access to the database. Thanks for the tips. – RobertoCL Aug 18 '11 at 01:13
I can't see any info about multithreading in HttpSessionListener docs. I'm not sure, but maybe the access to the hashmap should be synchronized to avoid unexpected behaviours. – Daniels118 Apr 29 '21 at 07:57

score 0 · Accepted Answer · answered Aug 17 '11 at 22:18

0

There should be a JMX interface for that.

answered Aug 17 '11 at 22:18

Rostislav Matl

4,294
4
29
53

Thanks, jboss has JMX MBean and expireSession function, will investigate. – RobertoCL Aug 18 '11 at 01:06
it worked! `MBeanServer server = MBeanServerLocator.locateJBoss(); ObjectName objectName = new ObjectName("jboss.web:type=Manager,path=/THE_WEBAPP,host=localhost"); System.out.println(server.invoke(objectName, "listSessionIds",null, null));`
ref. http://community.jboss.org/wiki/FAQJBossJMX – RobertoCL Aug 18 '11 at 03:01

Java Remote kill user session

2 Answers2