i have one java web application in jsp and servlet and db as oracle 10g EE. In login if one user has been logged in then how can i prevent same user from logging again unless sign out?
Note: I am not telling that if a logged in user will click on login page then immediately he would be forwarded to his home page.
I am asking is how can i prevent that logged in user to login again if he is already logged in. Suppose user A is already logged in into the db(sign out not done), then user B tries to login in to db with the user id and password of user A, then simply user B will be prevented from login. How do i implement that?
You need to manage a map of logged in users, Map<String, String> userToSessionIdMap when user logs in you check if there is any session exist for this user name if yes deny else allow login,
Now on logout you need to remove the entry from map, also you need to implement HttpSessionBindingListener so when session expires it removes the entry again
Also See
prevent multiple login using the same user name and password
Preventing multiple login
Let the database do it's own job!
(This solution assumes that you can get help from DBAs; or you have SYSDBA access to the database.)
First create a profile that allows only 1 session per user:
CREATE PROFILE single_session_profile
LIMIT SESSIONS_PER_USER 1;
Then create the user with the right profile or alter an existing user to use the profile:
CREATE USER user_a
IDENTIFIED BY user_id
DEFAULT TABLESPACE users
TEMPORARY TABLESPACE temp
QUOTA UNLIMITED ON users
PROFILE single_session_profile;
or
ALTER USER user_a
PROFILE single_session_profile;
Finally, the database needs to be observe these limits:
ALTER SYSTEM SET RESOURCE_LIMIT = TRUE SCOPE = MEMORY;
(SCOPE = MEMORY enables limit enforcement for the currently running database instance; if you want to make it persistent, i.e. enabled after a database restart, you need to use SCOPE = BOTH where BOTH means both MEMORY and SPFILE, i.e. DB initialization file. If the database does not use the new SPFILE format, but the old PFILE (init.ora), then you need to add the RESOURCE_LIMIT setting to the init.ora and restart the database.)
That's it. If a user_a tries to log in twice, it will get:
ORA-02391: exceeded simultaneous SESSIONS_PER_USER limit
Related
I use the Firebase realtime database in my Android app where disk persistence is enabled.
When the user opens the app for the first time I read auth status, if that is null I show the login screen and after the login, I will get the username stored against this user id in the realtime database.
If the username is null then I will show username setup screen where he will choose the unique username for him. The problem arises when the connection goes off during the username setup phase. username is not yet written to the database but when he opens the app next time username will not be null as Real-time database gives me value stored in the cache. So I proceed to the home screen but what if someone else chooses the same username during this phase?
I maintain two-way mapping between uid and username as suggested in this answer
I can't use transaction because at a time transcation can be run only on one path but in my case, I have to automatically update two paths.
I also have security rules setup up for maintaining unique username but what to do with the users who are already crossed the username setup screen.
What if someone else chooses the same username during this phase?
Everytime you want to perform a write operation for a user name, you need to make sure it's unique. To check if a user name exists in a Firebase realtime database, a query like this is required:
DatabaseReference rootRef = FirebaseDatabase.getInstance().getReference();
Query query = rootRef.child("users").orderByChild("userName").equalTo(userName);
query.addValueEventListener(/* ... */);
So if the user tries to set/change the user name while offline, the above query is added to a queue. Once the user regains the connection, every change that is made while offline, will be updated on Firebase servers. With other words, the above query will be commited on the server. So if a user chooses a user name that already exists in the database while offline, when is back online, he'll receive a message that user name already exists.
I can't use transaction because at a time transcation can be run only on one path but in my case, I have to automatically update two paths.
I cannot use transaction because it can be run only on one path, you cannot use transactions at all. Transactions are not supported for offline use. This is because a transaction absolutely requires round trip communications with server in order to ensure that the code inside the transaction completes successfully. So, transactions can only execute when you are online.
Following are the two approaches to validate the current action
Save user details on login in the user session. For every action after login, check whether user has roles and permissions every time. DB needs to be queried since an administrator can change the privilege of the user any time. Query the roles and permissions of the current user and verify the operation every time.
Save user details on login in the user session. For every action after login, check just the roles/permission associated with the session. DB doesn't needs to be queried. However if Administrator or any user changes the permission of the current user from different country invalidate the current user session which should be stored somewhere.
Which of the above would be the best approach on the above ? How to achieve it
Many applications hit the DB for every action.
Some application invalidate the session...
Any reference or code snippet for the above two would be helpful
Not sure whether any other approach is available other than the two
You could employ a hybrid approach: cache roles+permissions in user session for N minutes, then invalidate cache and reload them from the database. Thus, user permissions would be incorrect for no longer than N minutes.
Another approach is to store last update date+time per role in memory and in user session. When an administrator updates role permissions, you set 'update date+time' for this role to 'now'. Also, for each user action, you first check whether 'load date+time' for their role stored in their session is older than that global update date+time stored in memory. If it is older, then you need to reload role and its permissions from database.
This will only work well if
You only have one application instance (no distribution), or you can share that data a lot faster than access the database (some kind of a distributed cache?)
Permissions are changed by administrator via the same application
Your security model is not too complex
Imagine that you have an object roleUpdateTimes that contains a map from a role to its last update date+time (or null if the role was not updated since last restart).
When a role is updates by an administrator, the following is done:
roleUpdateTimes.updated(roleName);
where updated() method just puts the current date to the map:
public void updated(String roleName) {
map.put(roleName, new Date());
}
map may be a ConcurrentHashMap here, so that we have a correct behavior knowing that the map will be accessed by different threads.
For the user, you could have the following in a Filter:
Date roleDate = getRoleDateFromSession(session);
String roleName = getRoleNameFromSession(session);
if (roleUpdateTimes.roleIsStale(roleName, roleDate)) {
... reload role permissions from database and save them to session
saveRoleDateToSession(session, new Date());
}
And
public void roleIsStale(String roleName, Date snapshotDate) {
Date updateDate = map.get(roleName)) {
if (updateDate == null) {
// role was not changed by admin, it's not stale
return false;
}
return updateDate.after(snapshotDate);
}
Also you might need to load map on startup: just put new Date() for every known role.
I want to know the logic and how i can implement it in netbeans. I want to create a login option in simple java application in netbeans via connectivity of mysql.
What I used to do is Preferences for checking whether user status is logged in or not
if user is already logged in then I don't lunch the login interface
else lunch login interface
in log in interface simply take input from user along with primary key (may be email address). and query to database whether it is available in database or not.
If user is available the data of particular user is displayed and preference for user logged in status should changed to logged in.
If user is not available then show some error message.
you can add sign up features where you can simply do simple input validation such as age range, email etc and finally insert the data input by the user.
I have a Vaadin application that starts with a user login, but the problem is with Vaadin is the session handling as I can open two sessions from 2 different browsers with the same login which should not be possible to do. But I did not find any documentation regarding that besides this topic but it's not working properly as the data are not saved in the hashmap correctly.Anyone got the same problem?
Vaadin 7 works by default so that it creates everytime a new UI instance when a new browser tab is opened (or the tab is refreshed). You should store information about current user to VaadinSession or standard HttpSession and check in UI.init() if the session contains user information.
To store information into VaadinSession one can say:
VaadinSession.getCurrent().setAttribute("currentUser", currentUser)
HttpSession can be accessed as follows in Vaadin:
VaadinSession.getCurrent().getSession()
Please note that VaadinSessions are stored into HttpSession and HttpSession can contain multiple VaadinSessions if multiple Vaadin servlets are deployed from the same war file, and the user uses those at the same time.
How to prevent concurrent logins?
I keep track of logins using a self-generated login-token. A random string between 32 and 128 bytes in length that gets stored in a cookie and a backend database, typically under a user's account.
If User (A) shares her login credentials with User (B) a new login-token is generated for the new login and stored in a cookie and updated in the backed database.
If User (A) (who might for example already be logged in) attempts to perform an action while User (B) has just logged-in, User (A)'s session will be destroyed and she'll be redirected to the login screen after a backend test confirmed her login-token isn't a match.
Think of Sessions and Logins as two different things. Sessions can be generated all day long, but login STATE should be stored in a central store.
You can save all logged users to static Set. Static variables are globally shared. On start app, check whether the collection is already login.
I am trying to implement the functionality with which , when a user is loggedIn at one place and when he try to login to some where else , He should automatically be LoggedOut from the previous place .
Like in GMAIL..
If some one can give me the concept , As i think I need to save the user LoggedIn Status in Db,As sessions doesnt looks to be heplful. But then I dont understand how we update user status in DB ,if there is no activity for lets say 5 minutes (how will i capture the inactivity and updating in db).
If some one can please guide, I am struggling on this for hours now .
Thanks
When user login add the user session with id to a hashmap. When the same user logins again check for entry in the HashMap and if available invalidate the session and create new session for the user.
If you are using Spring Security, it provides this functionality out of the box.
Otherwise:
Create a java.util.Map (A ConcurrentMap is prefered, so manipulating it concurrently won't corrupt it), and stores it in application scope (ServletContext).
Now, you shall store each user and a reference to its session upon login in the map, and if a user logins again, just fetch previous session object and invalidate it.
Now implement an instance of javax.servlet.http.HttpSessionListener, and in void sessionDestroyed(javax.servlet.http.HttpSessionEvent httpSessionEvent); method, remove the specified session from the Map. (This listener is invoked on session invalidation, whether it is done automatically by container or if you do it programmatically). just register this listener in web.xml and everything is done.
p.s. I know that it will be some-how harder, if you are deploying your application on a cluster of web-containers, but when you have just one server, that's ok.
p.s. I don't recommend storing session information in DB.