2

Im working in a Web App with Java and JSF. I have a simple login, if it finds the user in the database it creates a session and stores some information on it. That works great. The thing is, I want to avoid two different people using the same user name and password at the same time. Something like account sharing. Only one user logged at one time. I have been thinking this but I can't find the correct approach.

Thanks in advance for all your help.

Daniel Rojas
  • 407
  • 2
  • 5
  • 16

2 Answers2

2

One way I can think of is to put a boolean field logged_in to the database and set it to true whenever someone log in and set it to false whenever someone log out or session expired. Set it to false when someone log out is easy. For the session expired part, I believe using JSF, you have a SessionScope managed bean storing information about the user after he log in. You can implement a @PreDestroy method for that managed bean and ask it to set the field to false before it is deleted on session expired event.

When someone send "username" and "password" to the server through the login panel, you just need to check if the logged_in field is true or not.

Mr.J4mes
  • 9,168
  • 9
  • 48
  • 90
  • 1
    I can also recommend this solution. Good post! – Mechkov Oct 29 '11 at 18:52
  • How about if the application server is down ? You have to manually set all `logged_in` columns for all users to false or update the `logged_in` columns for all users to false whenever the application server starts .Otherwise , the user cannot login as the `logged_in` is always true. – Ken Chan Oct 29 '11 at 19:51
  • @KenChan: I believe running through the whole database and set all the `logged_in` field to false doesn't cost that much time and resources. In fact, even if it does cost significant time and resources, it would only cost once at the beginning. While the server is running smoothly to server requests, there would be no extra cost. – Mr.J4mes Oct 30 '11 at 08:33
  • Hello, Thanks all for the help. Im going to try the solution about the database. Im going to try it and maybe comment about it. – Daniel Rojas Nov 13 '11 at 17:36
  • Hello, quick question about this. I am doing something similar, I have a session scoped user bean which takes care of all log ins and log outs. I have a logout method. For this method can I just put the @PreDestroy? – Michael Miner Dec 08 '14 at 14:07
1

You can create an application scoped bean for keep track which users are currently login to the web application. When a bean is in the application scoped ,all the request/response cycles for all clients will use the same bean instance .

You may declare a HashSet in this application scoped bean to store all the currently login userID . When a user login , checks whether his userID is inside the HashSet. If yes , it means he login already . Otherwise , it means he does not login yet .

Whenever a user successfully login , put his userID into the HashSet.Whenever a user logout , remove his userID from the HashSet.For the expired of a user session , use HttpSessionListener or @PreDestroy to capture this event and remove the corresponding userID from the HashSet.

For how to use capture the session expired event , you can refer to this.

For how to force an application-scoped bean to instantiate when the webapps starts , you can refer to this

Community
  • 1
  • 1
Ken Chan
  • 84,777
  • 26
  • 143
  • 172
  • When the number of users become larger and larger, your ApplicationBean will become less and less efficient. Since your bean is always here, it would eventually affect the performance of the server. I have no idea how bad it is but it's just my 2 cents :P – Mr.J4mes Oct 30 '11 at 08:36
  • Also, what happens if you create more app servers for load balancing. Curious as I don't know if application scoped beans can share state between application servers. – Bill Rosmus Mar 06 '15 at 06:30