[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
|
Re: [jetty-users] HttpSession object lifetime
|
What do you like to archive with
> I am trying to setup a scheme where user can be limited to no more than
> one logged in session at the same time. Any existing session for a
> particular user that logs in should be invalidated making the last
> session the only valid one.
Do you want to prevent the user from logging in more than once?
Then it might be enough to store the current-session id on login. If any
request is made with a different session ID but the same user you can
invalidate the session then and redirect the user to a
"session-expired-page".
If you like to instead "join" the other session, you might want
invalidate the current one, redirect to some intermediate page that
updates cookies/url parameters so the browsers uses the active session
and afterwards redirect to the original requested page.
Am 29.04.21 um 15:32 schrieb Silvio Bierman:
Hello all,
This might be a generic servlet question but since Jetty (10.0.2,
embedded mode) implements otherwise unspecified behavior I would like to
ask this here anyway.
I am trying to setup a scheme where user can be limited to no more than
one logged in session at the same time. Any existing session for a
particular user that logs in should be invalidated making the last
session the only valid one. Somehow I need to manage a mapping from user
name to some session referencing information that represents currently
active sessions and allows me to invalidate a session. I did a
quick-and-naive implementation using a WeakValueMap that maps the user
name to a weak reference to a HttpSession object. Unfortunately, that
showed very erratic behavior (existing session where not in the map)
that I at first could not explain. I decided to try what happened when I
use the HttpSession objects themselves as mapped values. That worked. I
suspect that the HttpSession objects could be more temporary than I
thought that validity of a HttpSession object is only guaranteed during
the lifetime of the HttpServletRequest object that it was obtained from.
That makes perfect sense and explains what I observed.
But now my question is: how can I achieve my goal? I can map user names
to session IDs but have no way of accessing the related sessions, other
than using the ID to make up some request that is handled by
invalidating the then accessible session. This seems rather clumsy and I
am hoping there is a better way to do this.
Any suggestions would be welcome.
Thanks,
Silvio
_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users
