Kill or invalidate session using session id ( concurrent login )
Most of the business applications should not allow concurrent login (login from multiple browsers or machines with the same login id). The HTTP session is specific to each and every browser , it is difficult to kill or invalidate session (HTTP session) from another session.
The actual requirement should be like thi
Imagine that the user “A” logged in with the id “1234” successfully and the user “B” try to login with the same id “1234” from a different machine or from the different browser in the same machine .
In that case display a popup or some message like “The user id is active in other session , click KILL ACTIVE USER button to kill the existing active session or click CANCEL button to cancel the current login “.
If the user “B” click KILL ACTIVE USER button , allow the user “B” to login and invalidate user “A” session ,that means “A” may not perform any request or action in the application , if he made any request ,automatically logged out from the application .
If the user “B” click the CANCEL button , he cannot able to login to the application and no problem for the user “A” to continue with the session.
|If the application running in one production server , it is easy to handle with the context object (save the session id in the context object and check the current session id and saved session id from context object) , but the application is running in more than one server ? in that case follow the below steps.|
Steps to Kill or invalidate session using session id:
Step 1 : Save the user Id (Ex :1234)and Session Id(Ex:23kwhejehw234yuuer) in the database table (Ex : SESSION_MANAGEMENT) at the time of user “A” logged in.
Insert into SESSION_MANAGEMENT values("1234","23kwhejehw234yuuer");
Step 2 : Add check condition in the filter(Request and Response) whether the current session id and saved session id from the database table SESSION_MANAGEMENT are same or not.If both are same, user “A” can do operations else logged out from the application.
String current_session_id = (String)req.getSession().getId();
String saved_session_id_from_database = // Write code to get form database;
//redirest to login page
Step 3 : If the user “B” try to logged in to the application with same or different user Id , check the database (With select query by user Id) whether the user Id exist or not in the SESSION_MANAGEMENT table. If the use Id already exist (Which means “B” used the same user Id “1234“) , show a popup message what i said earlier.
"The user id is active in other session , click KILL ACTIVE USER button to kill the existing active session or click CANCEL button to cancel the current login "
Step 4 : From the popup , if the user “B” click KILL ACTIVE USER button , update the session id for the same user Id “1234” in the SESSION_MANAGEMENT table. Now the user Id “1234” having new session id (Ex: sdjh34jsjdhjwh23u4uus234) in the database.
Update SESSUIB_MANAGEMENT set session_id ='sdjh34jsjdhjwh23u4uus234' where user_id='1234'
Step 5 : In this moment , if the user “A” try to request anything , the filter will check the current session session id (Ex:23kwhejehw234yuuer) and saved session id (Ex: sdjh34jsjdhjwh23u4uus234) from the database SESSION_MANAGEMENT table. This time, both the session ids are not same , because we updated session id for “1234“while user “B” logged in time . So user “A” will come out from the application by calling session invalidation method(Redirect to login page).
The main drawback of this implementation is, the filter will check current session Id and saved session Id from the database table for every user action . It may leads to performance issue.
|Related Posts :|
|Servlet Filter ( Request and Response filters in servlets ) example|
|URL rewriting in servlets ( Servlet session tracking )|
|Servlet Cookies ( Servlets session tracking with cookie )|
|Hidden form field in servlets ( Servlet session tracking )|
|Request attributes in servlet with an example ( Attribute scope )|
|Session attributes in servlet with example (Attribute scope)|
|ServletConext Attributes in servlet ( Attribute scope )|
|The sendRedirect (servlets are in different web applications)|