java2db

Kill or invalidate session using session id ( concurrent login )



Most of the business applications should not allow concurrent login (login from multiple browsers or machines with the same login id). The HTTP session is specific to each and every browser , it is difficult to kill or invalidate session (HTTP session) from another session.

Kill or invalidate session using session idThe actual requirement should be like thi

Kill or invalidate session using session id Imagine that the user “A” logged in with the id  “1234” successfully and the user “B” try to login with the same id “1234” from a different machine or from the different browser in the same machine .

 

Kill or invalidate session using session idd In that case display a popup or some message like “The user id is active in other session , click KILL ACTIVE USER button   to kill the existing active session or click CANCEL button to cancel the current login “.

 

Kill or invalidate session using session id If the user “B” click KILL ACTIVE USER button , allow the user “B” to login and invalidate user “A” session ,that means  “A” may not perform any request or action in the application , if he made any request ,automatically logged out from the application .

 

Kill or invalidate session using session id If the user “B” click the CANCEL button ,  he cannot able to login to the application and no problem for the user “A” to continue with the session.

 

Kill or invalidate session using session idIf the application running in one production server , it is easy to handle with the context object (save the session id in the context object and check the current session id and saved session id from context object) , but the application is running in more than one server ? in that case follow  the below steps.

 

 Steps to Kill or invalidate session using session id:

 Step 1 : Save the user Id (Ex :1234)and Session Id(Ex:23kwhejehw234yuuer) in the database table (Ex : SESSION_MANAGEMENT) at the time of user “A” logged in.

 

 

 Step 2 : Add check condition in the  filter(Request and Response)  whether the current session id and saved session id from the database table SESSION_MANAGEMENT are same or not.If both are same, user “A” can do operations else logged out from the application.

 

 

Step 3 : If the user “B” try to logged in  to the application with same or different user Id , check the database (With select query by user Id) whether the user Id exist or not in the SESSION_MANAGEMENT table. If the use Id already exist (Which means “B” used the same user Id “1234“) , show a popup message what i said earlier.

 

 

 Step 4 : From the popup , if the user “B” click KILL ACTIVE USER button , update the session id for the same user Id “1234” in the SESSION_MANAGEMENT table. Now the user Id “1234” having new session id (Ex: sdjh34jsjdhjwh23u4uus234) in the database.

 

 

 Step 5 : In this moment , if the user “A” try to request anything , the filter will check the current session session id (Ex:23kwhejehw234yuuer) and saved session id (Ex: sdjh34jsjdhjwh23u4uus234) from the database SESSION_MANAGEMENT table. This time, both the session ids are not same , because we updated session id for “1234“while user “B” logged in time . So user “A” will come out from the application by calling session invalidation method(Redirect to login page).

 

 

Kill or invalidate session using session id The main drawback of this implementation is, the filter will check current session Id and saved session Id from the database table for every user action . It may leads to performance issue.

 

 




Related Posts :
Servlet Filter ( Request and Response filters in servlets ) example
URL rewriting in servlets ( Servlet session tracking )
Servlet Cookies ( Servlets session tracking with cookie )
Hidden form field in servlets ( Servlet session tracking )
Request attributes in servlet with an example ( Attribute scope )
Session attributes in servlet with example (Attribute scope)
ServletConext Attributes in servlet ( Attribute scope )
The sendRedirect (servlets are in different web applications)
   [will not be published]



^ <