2 Replies Latest reply on May 28, 2009 2:34 PM by tarsia

    prevent multi-login in one and the same browser?

    tarsia May 28, 2009 11:37 AM

      Hi,


      we are using seam security for user-login in a RichFaces application.


      Is it possible to prevent a second login in one and the same browser or to kill the workspace of the first user?


      Here is our szenario, which you can reproduce in the seamspace example for example:


      1. We have a login-page (login.xhtml). When login is successful the user is redirected to the main-page (main.xhtml).


      2. USER A is logged in the first tab/workspace of a browser


      3. Then USER B will login in a second tab/workspace of one and the same browser.


      At the moment the user/session in the first tab/workspace will automatically change from USER A to USER B with all the permissions of USER B.


      I tried to prevent this with a logoff of USER A before a second logoff happens:


      - org.jboss.seam.web.Session.instance().invalidate();


      - identity.logout();


      Now my questions:


      1. Is it possible to destroy the first tab/workspace if you continue work in it after USER B has logged in. destroy means for example to do a redirect to the login-page with a nahigation rule or to automatically close the tab/workspace of the browser.


      2. Alternatively is it possible to prevent a second login of another user in one and the same browser?


      In my opinoin the user should be responsible for a correct logout, but we need this for security reasons.


      Any advise is welcome.


      Many thanks for your help
      tarsia

      • 1282 Views
      • Tags:
        • 1. Re: prevent multi-login in one and the same browser?
          pgmjsd
          pgmjsd May 28, 2009 1:33 PM (in response to tarsia)

          The HTTP session cookie will be shared between tabs in the same browser.  That means that the server cannot distinguish between the tabs based on that alone.  You'd have to come up with some way to pass the identity of the window/tab to the server in every request.


          So, you don't want users to have multiple windows/tabs on the same session?



          I've heard of (and implemented) not allowing more than one session for a user, but only one window seems a little extreme.

            • Actions
          • 2. Re: prevent multi-login in one and the same browser?
            tarsia May 28, 2009 2:34 PM (in response to tarsia)

            many thanks for your help. Then we will make a redirect on the login-page to the main-page if a login already exists so that's not possible to login as another user and everything is ok.


            Kind regards

              • Actions