How to avoid multiple per-user sessions in Tomcat/JBoss (Comtaste Consulting | Enterprise RIA consulting and development)

Usually, in our rich internet application, a user with a registered account can do two different logins from two different workstations and can maintain two concurrent sessions opened. In some applications we want to limit the users to one session per account, so we have to take countermeasures.
A simple method to check if a user is logged is to set a property in the current HttpSession; in this example in our login function we set

session.setAttribute("username", username);

If there is no username attribute, we will return an error to the user.
When someone starts a session with his account we have to check if there is already a session opened with that account. We can use an HashMap using the username as key and the session as value; obviously we have to use the same hashmap across multiple logins. A very fast and simple solution is to create a singleton that exposes operations on our hashmap:

public class MySessionManager {



	  private HashMap hashMap;

	  public boolean exist(String username) {

		   if(hashMap.containsKey(username)) {

		    	return true;

		   }

		

		   return false;

	  }

	

	  public boolean addSession(HttpSession session) {

	   if(hashMap.containsKey(session.getAttribute("username"))) {

		   return false;

		   }

		

		   hashMap.put((YouthruCorpPrincipal)session.getAttribute("username"), session);

		   return true;

	  }

	

	  public HttpSession getSession(String username) {

	   return hashMap.get(username);

	  }

	

	  public boolean removeSession(String username) {

	   	if(!hashMap.containsKey(username)) {

		    	return false;

	   	}

		

	   	hashMap.remove(username);

		   return true;

	  }

	

	  private static MySessionManager instance;

	

	

	  public static MySessionManager getInstance() {

	   	if(instance == null)

		    	instance = new MySessionManager();

		

		   return instance;

	  }

public MySessionManager() { hashMap = new HashMap(); } }

In our login function we have to check the existence of a previously created session with the same username, in that case we can logout the user associated with that session:

if(MySessionManager.getInstance.exist(username)) {
logout(MySessionManager.getInstance.getSession(username));
MySessionManager.getInstance.removeSession(username);
}

In this case the logout function takes as argument a session and log out from our application the user associated with that session, then we can do our login routine and at add the current session to the hashmap.

In this example we are checking only for sessions with a username attached, if we want to do some operation every time a session is created/destroyed, we can implement the HttpSessionListener interface:

http://tomcat.apache.org/.../http/HttpSessionListener.html

Classes that implement this interface will be notified of session creation and destruction using the respective functions:

void sessionCreated(HttpSessionEvent se)
void sessionDestroyed(HttpSessionEvent se)

To receive notification events, the implementation class must be configured in the deployment descriptor for the web application; for example:

<web-app version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"> <listener> <listener-class> myapp.security.MySessionListener </listener-class> </listener> </web-app>

Enterprise RIA development and consulting with Adobe Flex 3, LiveCycle Data Services, Flex Data Services, Actionscript 3, Java and J2EE

Need Consulting? Need Training?

How to avoid multiple per-user sessions in Tomcat/JBoss

TrackBack

Post a comment

Search

About