All geek questions in one place

Allow only one session per user

We have a web application developed using struts2, spring and hibernation.

An application needs functionality that one user can log into from just one browser.

Say, if user x is registered in pc-1 browser ff, then he cannot be registered in any other place.

I tried it using the implementation session map and saved the sessions on the global map, but this fails when the user logs out and tries to log in again.

Even if this is not the case, it is critical if the user does not log out and session timeouts, but the card is not cleared.

It’s best to implement this functionality.

We do not want to prevent the user from logging in, but we do not want users to use this application, allowing them to share krillia and allow multiple users with the same name.

+6
source share
7 answers

Since you are already using Spring, I would recommend you integrate your application with Spring Security.

Spring Security allows you to determine the maximum number of sessions allowed for a user at a time.

<session-management> <concurrency-control max-sessions="1" /> </session-management>

If set, when a user having a valid session tries to log in again, he will inform the user that the maximum concurrent access is set to 1.

Read the Spring Security reference documentation for more details: v3.2.x , v4.2.x, or v5.1.x.

If spring safety is not right for you, then:

  1. Use a SessionInterceptor , which will verify the session is valid, if the session is valid, it will check if the user has logged into the application (for this you will need to maintain a session somewhere, for example, for the database for each successful login), if a valid login is found, redirect the user to the login page with the user message again, or log out of an existing session, and then redirect him to the system login again. If you exit a previous session, this will mean that any subsequent action in this browser session will be associated with an invalid session.

  2. If you also use Servlet in your application, then Interceptor will not work for you, in this case you should use Filter and follow the same steps that were described above for Interceptor.

+14
source

When entering the system, the user is provided with the generated identifier / cookie (sessionid) stored with the user data. If the user makes a request to the server with the old ID / cookie, say that he has logged in elsewhere.

Another method that prohibits a new login attempt has its drawbacks - as you have already experienced.

+1
source

The best solution is to log out of the user from another session when entering a new session. Often the user will not fail when closing the browser and restricting it from entering another window will be a trap.

Automatically closing any previous user sessions is good, because during normal use this is not a problem, but when sharing a username and password, two people cannot work simultaneously with your application.

+1
source

Create a map. During registration, check that the user ID is present on this card or not. If it does not exist, then enter the user ID into the card, while logging out, delete this user ID.

+1
source

Honestly, I would review the reasons why you should restrict the user to one login. Despite the fact that they cannot log in from two different browsers, it’s easy enough - any suggestions offered will work - with the Spring Security parameter, which is easiest to implement if you can - they all break when your user opens a second tab in the same browser. This is considered part of the same session.

0
source

Maintain the user stack in the context of the servlet, as it will be one for the web container. Verify the check before the user logs in if the username found in the context of the servlet redirects him to the login page.

0
source

All you have to do is add a field to the database userprofile table, saying: already in the log. If the user logs in, do it Y. If the user logs out, do it N. Now every time the user tries to log in from a new location, check this value and prohibit logging in if the value is Y.

0
source

Source: https://habr.com/ru/post/1414694/

More articles:


All Articles