Welcome!

Linux Authors: Pat Romanski, Trevor Parsons, Andreas Grabner, Elizabeth White, Michael Bushong

Related Topics: AJAX & REA

AJAX & REA: Article

Rich Internet Applications: Tips, Tricks & Techniques

How to Avoid Multiple Per-User Sessions in Tomcat/JBoss

Usually, in a rich internet application (RIA), a user with a registered account can do two different logins from two different workstations and can maintain two concurrent sessions opened. In some applications we want to limit the users to one session per account, so we have to take countermeasures.

A simple method to check if a user is logged is to set a property in the current HttpSession; in this example in our login function we set

session.setAttribute("username", username);

If there is no username attribute, we will return an error to the user.
When someone starts a session with his account we have to check if there is already a session opened with that account. We can use an HashMap using the username as key and the session as value; obviously we have to use the same hashmap across multiple logins. A very fast and simple solution is to create a singleton that exposes operations on our hashmap:

public class MySessionManager {

private HashMap hashMap;

public boolean exist(String username) {
if(hashMap.containsKey(username)) {
return true;
}

return false;
}

public boolean addSession(HttpSession session) {
if(hashMap.containsKey(session.getAttribute("username"))) {
return false;
}

hashMap.put((YouthruCorpPrincipal)session.
getAttribute("username"), session);
return true;
}

public HttpSession getSession(String username) {
return hashMap.get(username);
}

public boolean removeSession(String username) {
if(!hashMap.containsKey(username)) {
return false;
}

hashMap.remove(username);
return true;
}

private static MySessionManager instance;


public static MySessionManager getInstance() {
if(instance == null)
instance = new MySessionManager();

return instance;
}

public MySessionManager() {
hashMap = new HashMap();
}

}

In our login function we have to check the existence of a previously created session with the same username, in that case we can logout the user associated with that session:

if(MySessionManager.getInstance.exist(username)) {
logout(MySessionManager.getInstance.getSession(username));
MySessionManager.getInstance.removeSession(username);
}

In this case the logout function takes as argument a session and log out from our application the user associated with that session, then we can do our login routine and at add the current session to the hashmap.

In this example we are checking only for sessions with a username attached, if we want to do some operation every time a session is created/destroyed, we can implement the HttpSessionListener interface:

Classes that implement this interface will be notified of session creation and destruction using the respective functions:

void sessionCreated(HttpSessionEvent se)
void sessionDestroyed(HttpSessionEvent se)

To receive notification events, the implementation class must be configured in the deployment descriptor for the web application; for example:


<web-app version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/
j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">

<listener>
<listener-class>
myapp.security.MySessionListener
</listener-class>
</listener>
</web-app>

More Stories By Emanuele Tatti

Emanuele Tatti is a software engineer at Comtaste, a consulting company and solution provider for Rich Internet Applications (RIA) based in Rome, Italy, and operating internationally (www.comtaste.com/en). His areas of expertise are Flex, Livecycle Data Services, BlazeDS and Java for building enterprise applications. He has been involved in several projects especially related to the financial field and is also chief engineer for YouThruBiz, an innovative enterprise-class rich internet application which allows companies and recruiters to select human resources through multimedia job interviews and e-resumes.

His posts can be found at blog.comtaste.com

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.