Enforce no more than one user in a JSP application
I am developing a web tool using JSP where there are many users with multiple types (e.g. admins, guest, write enabled users ...). Since this will be a subscription based system (i.e. 3/6/12 month subscription fee), I need to enter no more than 1 login per user at a time. For example, say Mr. John Smith subscribes to this system; I don't want him to give his credentials to his friend so that they both use the system at the same time from two different computers. How can I manage this situation?
- When a user logs in, save
HttpSession.getId()
for that user. It could be in the scope of the application. Map from usernames to session IDs or in a database. - For each subsequent request for a logged in user, make sure that
request.getSession().getId()
is the one stored for that user. - If the request session ID is not the one stored for this user, then it must be the ID of a newer session, for later login with the same username. In this case, inform the user that the other login is busy and call
request.getSession().invalidate()
to log out.
The main thing to remember is that given the saved session ID for a different session and not the current session, you cannot cancel that other session.
Also, if you don't clear the saved session ID after the timeout, you won't be able to reject the second login attempt, since you can't tell if the first session is active.
source to share
I don't know what, if any, framework you are using (you only specified the JSP). But, if the rest of your application uses the Spring Framework, this feature is already implemented in the ConcurrentSessionFilter from Spring Security . It supports several ways to detect and handle concurrent logins, including those suggested by Peter Hilton above.
source to share
When the user logs in, you will want to revoke any other login they may have at the time. This means that you do a check for every request you make, but you must have that for a basic check anyway. For example, you can check the IP address they are accessing or the session id of the servlet, etc. That's all there is to keep track of anyway, especially for fact / reporting logging.
You can then use the annoyance of logging out to enforce the policy without making it impossible to navigate from one system to another and continue using the interface.
Use the aforementioned fact / report logs to analyze logins to see if there are any usage patterns that don't fit the typical single user - sessions often change between two or more computers, especially at similar times.
source to share