2 Replies Latest reply on Apr 12, 2002 10:53 AM by Jean-Christophe P

    Single Login

    r_clegg1 Newbie

      does anyone have a simple solution to preventing more than one user at a time to login to an account. I have been investigating this for some time. The easiest seems
      to be a ping of a concurrent users database each time a
      logged on user enters a request. If the account is not currently logged on, the account is registered on the database together with timestamp and session id.
      Thereafter, the user pings and updates the timestamp with each request. If other users try to logon with this account, they will get a polite 'no-way'.
      If the user using the account times out or logs of, the
      register on the database is removed and other users
      can then register. The timestamp can also be checked
      by other users and new user can 'grab' the account if the last time accessed has been exceeded.

      Advantages: can be used over a distributed system.
      Disadvantages: would have to have a call to a ping ejb
      every time the user makes a request.

        • 1. Re: Single Login
          J. Wolfgang Kaltz Novice

          It is an interesting question, I don't have a simple solution, but the most efficient way would probably to write your own security interceptor. This is described in the JBoss documentation, though I haven't tried it myself.
          I guess what you need to achieve, instead of checking calls only on username/password credentials (which is what the default security layer does), is cache username/password/http-session-id in your security layer.

          • 2. Re: Single Login
            Jean-Christophe P Newbie

            This question (or the issue of caching passwd+user)
            seems to be recurrent (I post the same question
            3 days ago, and have seen different questions
            regarding caching changing passwd, etc)
            may be we can try to find a clean common solution,
            or to do a FAQ !


            ! This is not the clean version at all !
            Meanwhile, I thought to a 'hack solution' for the single login :
            adding a random piece of junk (+maybe hostname+time!)
            before the passwd well it is nasty but it will avoid
            to call the cache version of the real password during
            loggin phase I do not know if it can be implemented
            in a web context (but this is not my case and you may be able to add the sessionid in this case ?) or if a MD5
            version of the passwd is encoded ?