5 Replies Latest reply on Dec 21, 2010 11:09 AM by raphaufrj

    How to prevent concurrent login

    raphaufrj
    raphaufrj Dec 18, 2010 6:46 PM

      Hi Seam Experts,


      In my seam app, I need to implement a control of concurrent login. It means, If an user try to do login and the same user was logged , the system have to raise a message error. Or I can invalidate the old session, and keeping the new one.


      Anyway, before I implement this control using my knowledge in HttpSession listeners, has Seam any form to do this? I saw in seam security project exists this capability.


      Thanks in advance.

      • 2502 Views
      • Tags:
        • 1. Re: How to prevent concurrent login
          lvdberg
          lvdberg Dec 21, 2010 6:03 AM (in response to raphaufrj)

          Hi,


          I just posted an answer in another thread.


          Leo

            • Actions
          • 2. Re: How to prevent concurrent login
            lvdberg
            lvdberg Dec 21, 2010 6:06 AM (in response to raphaufrj)

            Hi,


            I forgot to add the query you should use when authenticating:




            User user = (User) entityManager.createQuery("select u from User u "
                              + "where u.userName = :username and u.active = es.esam.itsdomain.common.enums.YesNoEnum._yes")
                         .setParameter("username", credentials.getUsername())
                         .getSingleResult();




            I use the active field of a User to see if he/she is already logged in.


            Leo


              • Actions
            • 3. Re: How to prevent concurrent login
              raphaufrj
              raphaufrj Dec 21, 2010 9:23 AM (in response to raphaufrj)

              Hi Leo,


              thanks for the answer.


              1. Where's the post?


              2. My problem is not just use persistence in authenticator. If the user browser crashed, or the user clicks on close windows. I don't know how can I set my flag to false? In that situations, This flag can be put to false, in a session listener, but it's only possible doing in session timeout. In other words, the user will be blocked in the meanwhile.

                • Actions
              • 4. Re: How to prevent concurrent login
                lvdberg
                lvdberg Dec 21, 2010 9:44 AM (in response to raphaufrj)

                Hi,


                http://seamframework.org/Community/StoppingUsersToHaveMultipleSessions


                A session has a time-out, so even when the browser crashes, the application will clean-up, so the bean destroy-method will be called and you can do what you need to do.
                I am thinking of adding a specific unlock feature (because I am using this to prevent users working on different places at the same time).
                Such a function will basically be something like:


                if not loggedIn and active yes ::  send email and Captcha and unlock the account.


                Leo

                  • Actions
                • 5. Re: How to prevent concurrent login
                  raphaufrj
                  raphaufrj Dec 21, 2010 11:09 AM (in response to raphaufrj)

                  Hi,


                  I get your point Leo.


                  In my case, I have to activate the user again after a timeout or browser crashes. If not, my users will cause me a big  headache.


                  However, I was discussing the same topic in Java Ranch, and after that I have been talking with my friend and He told me about Caching in cluster environments. I'll implement the solution, but it seems to work.


                  Link is here: http://www.coderanch.com/t/513463/Servlets/java/Restricting-multiple-logins

                    • Actions