« Better PHP code: some improvements, resources and tips | Main | The new BlazeDS JMSAdapter allows to pass connection-level credentials to JMS »

How to avoid multiple per-user sessions in Tomcat/JBoss

Usually, in our rich internet application, a user with a registered account can do two different logins from two different workstations and can maintain two concurrent sessions opened. In some applications we want to limit the users to one session per account, so we have to take countermeasures.
A simple method to check if a user is logged is to set a property in the current HttpSession; in this example in our login function we set

session.setAttribute("username", username);

If there is no username attribute, we will return an error to the user.
When someone starts a session with his account we have to check if there is already a session opened with that account. We can use an HashMap using the username as key and the session as value; obviously we have to use the same hashmap across multiple logins. A very fast and simple solution is to create a singleton that exposes operations on our hashmap:



public class MySessionManager {

  private HashMap hashMap;

  public boolean exist(String username) {
   if(hashMap.containsKey(username)) {
     return true;
   }

   return false;
  }

  public boolean addSession(HttpSession session) {
   if(hashMap.containsKey(session.getAttribute("username"))) {
   return false;
   }

   hashMap.put((YouthruCorpPrincipal)session.getAttribute("username"), session);
   return true;
  }

  public HttpSession getSession(String username) {
   return hashMap.get(username);
  }

  public boolean removeSession(String username) {
    if(!hashMap.containsKey(username)) {
     return false;
    }

    hashMap.remove(username);
   return true;
  }

  private static MySessionManager instance;


  public static MySessionManager getInstance() {
    if(instance == null)
     instance = new MySessionManager();

   return instance;
  }

  public MySessionManager() {
    hashMap = new HashMap();
  }

}

In our login function we have to check the existence of a previously created session with the same username, in that case we can logout the user associated with that session:

if(MySessionManager.getInstance.exist(username)) {
logout(MySessionManager.getInstance.getSession(username));
MySessionManager.getInstance.removeSession(username);
}

In this case the logout function takes as argument a session and log out from our application the user associated with that session, then we can do our login routine and at add the current session to the hashmap.

In this example we are checking only for sessions with a username attached, if we want to do some operation every time a session is created/destroyed, we can implement the HttpSessionListener interface:

http://tomcat.apache.org/.../http/HttpSessionListener.html

Classes that implement this interface will be notified of session creation and destruction using the respective functions:

void sessionCreated(HttpSessionEvent se)
void sessionDestroyed(HttpSessionEvent se)

To receive notification events, the implementation class must be configured in the deployment descriptor for the web application; for example:



<web-app version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee"
   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
  <listener>
    <listener-class>
      myapp.security.MySessionListener
     </listener-class>
  </listener>
</web-app>

Posted by Emanuele Tatti on January 28, 2008 5:58 PM |

TrackBack

TrackBack URL for this entry:
http://blog.comtaste.com/mt-tb.cgi/43

Comments (2)

emmel:

Hi!

I have a web application and will have users connected to it simmultaneous.

The problem is the next:

With Accept button go to Configuration Action class, and it makes a session.setattribute("configuration", config_object) for save some object into session, after it redirect to Generation Action class.

Generation Action class make a session.getattribute("configuration") for get the object saved in Configuration Action class, after it
Generation Action class make a session.setattribute("generation", generation_object), and session.setattribute("configuration", config_object_modified) after it redirect to the jsp.

In the jsp obtain the attributes with:

The problem is when two user acceded to click button I guess that the setattribute are saving like to application scope (getServlet().setattribute..) because both users the application display the same information and at the began the configuration was different. If the users acceded in different second the application run correctly.

If I synchronize the execute methods of Generation Action class and Configuration Action class the application runs correctly; but I dont want it, because if the user1 acceded to the database and his/her SQL Query runs slowly, the second user will be waiting until user1 finish.

Thanks!

Posted by emmel | February 8, 2009 6:38 PM

Posted on February 8, 2009 18:38

Francois:

Thank you!
This is so simple. Much appreciated :)

Posted by Francois | February 26, 2009 4:42 PM

Posted on February 26, 2009 16:42

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)

Search


About

This page contains a single entry from the blog posted on January 28, 2008 5:58 PM.

The previous post in this blog was Better PHP code: some improvements, resources and tips .

The next post in this blog is The new BlazeDS JMSAdapter allows to pass connection-level credentials to JMS.

Many more can be found on the main index page or by looking through the archives.

Subscribe to this blog's feed
[What is this?]
Powered by
Movable Type 3.33