0

I have a requirement to have only one active session per user in my application. Currently, I'm using sessionId and storing it in sessionStorage as well as in a database for the logged in user. Whenever the same user tries to log into the application from another tab or browser, I'm comparing the sessionId and also checking if the session is already active for that user or not using sessionId (I'm using Apache Shiro for session management), if yes, then they get redirected to invalid session page, otherwise if the session is invalid, the user can proceed with the login (clearing sessionId on logout action).

Now, I have one situation, when the user logs into the application and accidentally closes the browser or tab with active session or user PC gets restarted, then they cannot log into the application till the old session gets timed out (user session times out after 15 mins of inactivity). I want to allow user to login if active session tab gets closed accidentally. Is there any way I can handle this situation?

Jasper de Vries
  • 19,370
  • 6
  • 64
  • 102
stoic75
  • 1
  • 2
  • 1
    Just replace the current session with a new session on each login an invalidate the old ones if any activity is performed on any of them. – Jasper de Vries May 31 '22 at 11:41
  • @JasperdeVries I do not want to terminate users active session if he's working on it instead prevent the login from another tab/browser. – stoic75 Jun 01 '22 at 05:56

1 Answers1

0

HttpSessions are not linked to tabs, they are browser scoped. If a user tries to login from an other tab, you known it has an active session within that browser. So in that case simply do not offer a login form.

If a tab is closed, you might have other tabs open which use the session, so it would not make sense to invalidate a session on closing a tab.

You cannot detect and act on a PC shutdown. So you will never get what you want to be bulletproof.

I would implement it like this: if a user tries to log on, and there is an "active" (recent) session in the database, warn the user that an active session is found and that continuing will invalidate the other session(s).

See also:

Since you've tagged the question with PrimeFaces, you might want to check out p:idleMonitor. It can help you to invalidate inactive sessions from the client side.

See also:

Jasper de Vries
  • 19,370
  • 6
  • 64
  • 102