I have a Vaadin application that starts with a user login, but the problem is with Vaadin is the session handling as I can open two sessions from 2 different browsers with the same login which should not be possible to do. But I did not find any documentation regarding that besides this topic but it's not working properly as the data are not saved in the hashmap correctly.Anyone got the same problem?
Vaadin 7 works by default so that it creates everytime a new UI instance when a new browser tab is opened (or the tab is refreshed). You should store information about current user to VaadinSession or standard HttpSession and check in UI.init() if the session contains user information.
To store information into VaadinSession one can say:
VaadinSession.getCurrent().setAttribute("currentUser", currentUser)
HttpSession can be accessed as follows in Vaadin:
VaadinSession.getCurrent().getSession()
Please note that VaadinSessions are stored into HttpSession and HttpSession can contain multiple VaadinSessions if multiple Vaadin servlets are deployed from the same war file, and the user uses those at the same time.
How to prevent concurrent logins?
I keep track of logins using a self-generated login-token. A random string between 32 and 128 bytes in length that gets stored in a cookie and a backend database, typically under a user's account.
If User (A) shares her login credentials with User (B) a new login-token is generated for the new login and stored in a cookie and updated in the backed database.
If User (A) (who might for example already be logged in) attempts to perform an action while User (B) has just logged-in, User (A)'s session will be destroyed and she'll be redirected to the login screen after a backend test confirmed her login-token isn't a match.
Think of Sessions and Logins as two different things. Sessions can be generated all day long, but login STATE should be stored in a central store.
You can save all logged users to static Set. Static variables are globally shared. On start app, check whether the collection is already login.
Related
I am trying to implement the functionality with which , when a user is loggedIn at one place and when he try to login to some where else , He should automatically be LoggedOut from the previous place .
Like in GMAIL..
If some one can give me the concept , As i think I need to save the user LoggedIn Status in Db,As sessions doesnt looks to be heplful. But then I dont understand how we update user status in DB ,if there is no activity for lets say 5 minutes (how will i capture the inactivity and updating in db).
If some one can please guide, I am struggling on this for hours now .
Thanks
When user login add the user session with id to a hashmap. When the same user logins again check for entry in the HashMap and if available invalidate the session and create new session for the user.
If you are using Spring Security, it provides this functionality out of the box.
Otherwise:
Create a java.util.Map (A ConcurrentMap is prefered, so manipulating it concurrently won't corrupt it), and stores it in application scope (ServletContext).
Now, you shall store each user and a reference to its session upon login in the map, and if a user logins again, just fetch previous session object and invalidate it.
Now implement an instance of javax.servlet.http.HttpSessionListener, and in void sessionDestroyed(javax.servlet.http.HttpSessionEvent httpSessionEvent); method, remove the specified session from the Map. (This listener is invoked on session invalidation, whether it is done automatically by container or if you do it programmatically). just register this listener in web.xml and everything is done.
p.s. I know that it will be some-how harder, if you are deploying your application on a cluster of web-containers, but when you have just one server, that's ok.
p.s. I don't recommend storing session information in DB.
Suppose, a use login with username="ABC",
Some data is set in the session as follows:
session.setAttribute("mydata", mydata);
If the current session expires, the user is redirected with login page.
And now, if the user again login with same username ("ABC"),
Can we retrieve the previous session's attribute so that the user can continue his work?
Please suggest me the possible solution to retrieve the data of previous session.
Thank you.
I don't believe it is possible . However, you can always create a semaphore where your app can check against it whenever the user logs in and invalidate the session if there's already an existing user session running.
This semaphore could be as simple as a Java static variable if you are running in a non-clustered environment, or a better approach is to set the flag in a database table especially if you are running in the clustered environment.
Not possible, when the session expires everything it contains is dead. This is controlled by the container.
You could save session attributes to database beofre they expire, then add them back to the new session when user logs in again.
During the Application startup , using the login Id of the User , i am making a Database call and loading all of his accounts and setting them in the session as shown
session.setAttribute("userinfo",userinfo);
and i am using this accounts information in the service layer to do a check before making a call to the Database
Now the problem is that if a User (who is having multiple accounts ) logs simulatunosly into a same browser , its creating same sessionid , as a result the session is having only the information of the last logged in user .
is there anyway i can solve this , may be the way i am storing data
please help
May not be the best solution but this will help to solve the problem.
What you could do would be to associate the userid with the sessionid and on every pageload / clicks, you will check if the sessionid matches the login user's userid. If it matches, disregard and run the page as usual else you can fetch the user info from the database and reassign the variables again.
You can use URL rewrite instead of cookies. The downside is that the session ID is exposed in the URL.
i have one java web application in jsp and servlet and db as oracle 10g EE. In login if one user has been logged in then how can i prevent same user from logging again unless sign out?
Note: I am not telling that if a logged in user will click on login page then immediately he would be forwarded to his home page.
I am asking is how can i prevent that logged in user to login again if he is already logged in. Suppose user A is already logged in into the db(sign out not done), then user B tries to login in to db with the user id and password of user A, then simply user B will be prevented from login. How do i implement that?
You need to manage a map of logged in users, Map<String, String> userToSessionIdMap when user logs in you check if there is any session exist for this user name if yes deny else allow login,
Now on logout you need to remove the entry from map, also you need to implement HttpSessionBindingListener so when session expires it removes the entry again
Also See
prevent multiple login using the same user name and password
Preventing multiple login
Let the database do it's own job!
(This solution assumes that you can get help from DBAs; or you have SYSDBA access to the database.)
First create a profile that allows only 1 session per user:
CREATE PROFILE single_session_profile
LIMIT SESSIONS_PER_USER 1;
Then create the user with the right profile or alter an existing user to use the profile:
CREATE USER user_a
IDENTIFIED BY user_id
DEFAULT TABLESPACE users
TEMPORARY TABLESPACE temp
QUOTA UNLIMITED ON users
PROFILE single_session_profile;
or
ALTER USER user_a
PROFILE single_session_profile;
Finally, the database needs to be observe these limits:
ALTER SYSTEM SET RESOURCE_LIMIT = TRUE SCOPE = MEMORY;
(SCOPE = MEMORY enables limit enforcement for the currently running database instance; if you want to make it persistent, i.e. enabled after a database restart, you need to use SCOPE = BOTH where BOTH means both MEMORY and SPFILE, i.e. DB initialization file. If the database does not use the new SPFILE format, but the old PFILE (init.ora), then you need to add the RESOURCE_LIMIT setting to the init.ora and restart the database.)
That's it. If a user_a tries to log in twice, it will get:
ORA-02391: exceeded simultaneous SESSIONS_PER_USER limit
I have a very basic Wicket app that I'm trying to deploy to GAE. I have the basics working, after following the steps here and also binding the session object upon creation.
I'm having trouble saving any state in a session. My session class extends AuthenticatedWebSession. The login pages authenticates via AuthenticatedWebSession.authenticate(), which always returns true and sets the username in a member variable. But subsequent pages see a null username in the session and AuthenticatedWebSession.isSignedIn() returns false.
I do seem to be maintaining a session, as every page will see the same value for Session.getId().
Any ideas?
TIA!
Chris
My question was answered on the Wicket mailing list - the answer is that I needed to call Session.dirty() after authenticating (or after any other change to the session members) to ensure it would be saved. Apparently in my development environment, sessions were always saved but GAE is more optimized and thus only saving dirty sessions.
I spent about 2 days devling down the rabbit hole of sessions and cookies and I finally realised my issue was this:
app.secret_key = os.urandom(50)
Every time an instance boots up it generates a new key and now the users session is lost.
You need to make your key static
app.secret_key = "really-complex-key-that-is-static-and-never-changes"
Hopefully this is your issue to