Re: custom session manager
There is one problem with this approach. Load balancing/clustering. If you have a HashMap in one tomcat JVM, how does that information get propogated to other JVM's possibly on other machines? Thank you by the way for all the inputs so far On 10/6/05, Leon Rosenberg <[EMAIL PROTECTED]> wrote: > On 10/6/05, Tobias Meyer <[EMAIL PROTECTED]> wrote: > > The problem is AFAIK, that you cannot access the list of all sessions > > through the servlet-api. > > That feature was in the servlet-api at some time, but was removed, IIRC due > > to security issues. > > > > If you have a list of all sessions, you can easily iterate over them at > > login and manually expire all old sessions for the same user. => Max. one > > active session per user. > > ok, got you, yes that's feasible > thanx for explanations > leon > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: custom session manager
On 10/6/05, Tobias Meyer <[EMAIL PROTECTED]> wrote: > The problem is AFAIK, that you cannot access the list of all sessions > through the servlet-api. > That feature was in the servlet-api at some time, but was removed, IIRC due > to security issues. > > If you have a list of all sessions, you can easily iterate over them at > login and manually expire all old sessions for the same user. => Max. one > active session per user. ok, got you, yes that's feasible thanx for explanations leon - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
AW: custom session manager
The problem is AFAIK, that you cannot access the list of all sessions through the servlet-api. That feature was in the servlet-api at some time, but was removed, IIRC due to security issues. If you have a list of all sessions, you can easily iterate over them at login and manually expire all old sessions for the same user. => Max. one active session per user. > -Ursprüngliche Nachricht- > Von: Leon Rosenberg [mailto:[EMAIL PROTECTED] > Gesendet: Donnerstag, 6. Oktober 2005 16:11 > An: Tomcat Users List > Betreff: Re: custom session manager > > > Sorry, aber how exactly does it solves the problem of having one > session per user? :-) > > > > On 10/6/05, Tobias Meyer <[EMAIL PROTECTED]> wrote: > > > -Ursprüngliche Nachricht- > > > Von: Leon Rosenberg [mailto:[EMAIL PROTECTED] > > > Gesendet: Donnerstag, 6. Oktober 2005 11:20 > > > An: Tomcat Users List > > > Betreff: Re: custom session manager > > > > > > > > > On 10/6/05, Tobias Meyer <[EMAIL PROTECTED]> wrote: > > > > > > > > Or, cou could add a static hashmap to your Servlet (or a > > > bean if using JSPs) > > > > where you simply add the sessions with every request. You > > > would have to put > > > > an attribute implementing > > > javax.servlet.http.HttpSessionActivationListener > > > > in each session though, that removes the session from your > > > hashmap when the > > > > session is expired or you will end up with having many > > > invalid entries in > > > > your hashmap. (And I don't even know what happens if you > > > keep the references > > > > to those Session objects when they are recycled by tomcat) > > > > We do this to keep track of our sessions within the application. > > > > > > If you keep your sessions in a hashmap forever they will never be > > > freed by the garbage collector and you will end with an > outofmemory > > > error one day. > > > > That's why I said you need one Attribute that implements the > > HttpSessionActivationListener, which, on second thought , > was wrong - you > > need to implement HttpSessionBindingListener. > > > > The Method > > > > public void valueUnbound(HttpSessionBindingEvent event) > > > > will get called automatically when the session expires, and > you can add code > > that removes the session from the hashmap. > > > > > > > - > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: custom session manager
Sorry, aber how exactly does it solves the problem of having one session per user? :-) On 10/6/05, Tobias Meyer <[EMAIL PROTECTED]> wrote: > > -Ursprüngliche Nachricht- > > Von: Leon Rosenberg [mailto:[EMAIL PROTECTED] > > Gesendet: Donnerstag, 6. Oktober 2005 11:20 > > An: Tomcat Users List > > Betreff: Re: custom session manager > > > > > > On 10/6/05, Tobias Meyer <[EMAIL PROTECTED]> wrote: > > > > > > Or, cou could add a static hashmap to your Servlet (or a > > bean if using JSPs) > > > where you simply add the sessions with every request. You > > would have to put > > > an attribute implementing > > javax.servlet.http.HttpSessionActivationListener > > > in each session though, that removes the session from your > > hashmap when the > > > session is expired or you will end up with having many > > invalid entries in > > > your hashmap. (And I don't even know what happens if you > > keep the references > > > to those Session objects when they are recycled by tomcat) > > > We do this to keep track of our sessions within the application. > > > > If you keep your sessions in a hashmap forever they will never be > > freed by the garbage collector and you will end with an outofmemory > > error one day. > > That's why I said you need one Attribute that implements the > HttpSessionActivationListener, which, on second thought , was wrong - you > need to implement HttpSessionBindingListener. > > The Method > > public void valueUnbound(HttpSessionBindingEvent event) > > will get called automatically when the session expires, and you can add code > that removes the session from the hashmap. > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
AW: custom session manager
> -Ursprüngliche Nachricht- > Von: Leon Rosenberg [mailto:[EMAIL PROTECTED] > Gesendet: Donnerstag, 6. Oktober 2005 11:20 > An: Tomcat Users List > Betreff: Re: custom session manager > > > On 10/6/05, Tobias Meyer <[EMAIL PROTECTED]> wrote: > > > > Or, cou could add a static hashmap to your Servlet (or a > bean if using JSPs) > > where you simply add the sessions with every request. You > would have to put > > an attribute implementing > javax.servlet.http.HttpSessionActivationListener > > in each session though, that removes the session from your > hashmap when the > > session is expired or you will end up with having many > invalid entries in > > your hashmap. (And I don't even know what happens if you > keep the references > > to those Session objects when they are recycled by tomcat) > > We do this to keep track of our sessions within the application. > > If you keep your sessions in a hashmap forever they will never be > freed by the garbage collector and you will end with an outofmemory > error one day. That's why I said you need one Attribute that implements the HttpSessionActivationListener, which, on second thought , was wrong - you need to implement HttpSessionBindingListener. The Method public void valueUnbound(HttpSessionBindingEvent event) will get called automatically when the session expires, and you can add code that removes the session from the hashmap. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: custom session manager
On 10/6/05, Tobias Meyer <[EMAIL PROTECTED]> wrote: > > Or, cou could add a static hashmap to your Servlet (or a bean if using JSPs) > where you simply add the sessions with every request. You would have to put > an attribute implementing javax.servlet.http.HttpSessionActivationListener > in each session though, that removes the session from your hashmap when the > session is expired or you will end up with having many invalid entries in > your hashmap. (And I don't even know what happens if you keep the references > to those Session objects when they are recycled by tomcat) > We do this to keep track of our sessions within the application. If you keep your sessions in a hashmap forever they will never be freed by the garbage collector and you will end with an outofmemory error one day. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
AW: custom session manager
> -Ursprüngliche Nachricht- > Von: Leon Rosenberg [mailto:[EMAIL PROTECTED] > Gesendet: Donnerstag, 6. Oktober 2005 07:43 > An: Tomcat Users List; Mark > Betreff: Re: custom session manager > > > On 10/6/05, Mark <[EMAIL PROTECTED]> wrote: > > basically, I want to prevent users from logging in and creating a > > second session if a valid session for that user already exists. > > > > For instance. > > > > 1. Log in to my web app, session is created > > 2. browse around in my web app > > 3. close browser, do not logout > > 4. Start browser up again > > 5. try and log in > > 6. Do not allow login, have user 'reconnect' to the old session > > created in step 1. > > > > I have written quite a few web based apps, and I know of no way to > > kill the session at step 3. > > pretty easy, set session timeout to 1 minute and integrate a hidden > frame or javascript-loaded-image in your application that reloads all > 30 seconds. 60-99 seconds after the user closed his browser the > session would be killed. > Or, cou could add a static hashmap to your Servlet (or a bean if using JSPs) where you simply add the sessions with every request. You would have to put an attribute implementing javax.servlet.http.HttpSessionActivationListener in each session though, that removes the session from your hashmap when the session is expired or you will end up with having many invalid entries in your hashmap. (And I don't even know what happens if you keep the references to those Session objects when they are recycled by tomcat) We do this to keep track of our sessions within the application. A quick google revealed http://www.jguru.com/faq/view.jsp?EID=12141 with example code. Once you have the list of sessions, it should be easy to expire the old ones for the same user... Though this will allow you to have only one session per user, it will not kill the session immediately after step 3. Using the reload as described above will do that, but prevents you from having a security-logout if the user just has his browser open all day (without actually doing anything). Hth, Tobias - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: custom session manager
On 10/6/05, Mark <[EMAIL PROTECTED]> wrote: > basically, I want to prevent users from logging in and creating a > second session if a valid session for that user already exists. > > For instance. > > 1. Log in to my web app, session is created > 2. browse around in my web app > 3. close browser, do not logout > 4. Start browser up again > 5. try and log in > 6. Do not allow login, have user 'reconnect' to the old session > created in step 1. > > I have written quite a few web based apps, and I know of no way to > kill the session at step 3. pretty easy, set session timeout to 1 minute and integrate a hidden frame or javascript-loaded-image in your application that reloads all 30 seconds. 60-99 seconds after the user closed his browser the session would be killed. > > Hope this clears things up. > > Thanks again! > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: custom session manager
> From: Mark [mailto:[EMAIL PROTECTED] > Subject: Re: custom session manager > > basically, I want to prevent users from logging in and creating a > second session if a valid session for that user already exists. Why? Some strange security issue? Resource consumption? An anti-DoS measure? - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: custom session manager
basically, I want to prevent users from logging in and creating a second session if a valid session for that user already exists. For instance. 1. Log in to my web app, session is created 2. browse around in my web app 3. close browser, do not logout 4. Start browser up again 5. try and log in 6. Do not allow login, have user 'reconnect' to the old session created in step 1. I have written quite a few web based apps, and I know of no way to kill the session at step 3. Hope this clears things up. Thanks again! On 10/5/05, Leon Rosenberg <[EMAIL PROTECTED]> wrote: > I have never seen that the getRemoteUser method you are referring to > returned something userful, or just something other then null. Taken > in account different browsers, proxies, internet-cafes... I don't > think it's possible. > On the other hand, why do you need that? As a matter of security this > will not work, because an intruder will simply use a patched browser > and a proxy. Maybe if you tell us what you trying to achieve, we can > provide you a better solution. > > regards > leon > > On 10/5/05, Mark <[EMAIL PROTECTED]> wrote: > > This is about 90% of what I want. One of the features I want to put > > into my session manager is the ability to only have one open session > > per user. What I would like is to have a createSession method that > > takes in user and host. This way I could be relatively sure that the > > user could only have one session at a time. > > The way the API looks is I have no way of passing this information > > into the createSession method. Is this true? Or do I have to extend > > some of the low-level tomcat code in order to make this work? > > > > TIA for any help you can provide. > > > > On 9/29/05, Leon Rosenberg <[EMAIL PROTECTED]> wrote: > > > check this out: > > > > > > http://www.niallp.pwp.blueyonder.co.uk/TomcatBug36541.html > > > > > > The link itself handles a bug, but one of the solutions is to replace > > > the std. manager with custom manager with all info you need to > > > actually do this. I thin kthis fits your question. > > > > > > regards > > > leon > > > > > > On 9/29/05, Mark <[EMAIL PROTECTED]> wrote: > > > > After using tomcat since the 3.x days, I have been very impressed with > > > > the amount of flexibility and configuration options that I have > > > > available to me. > > > > > > > > One part of the tomcat design that I do not believe is very flexible > > > > is the ability to set up a custom session manager. So maybe I am > > > > missing something, but how would I go about writing this for tomcat? > > > > I know I am being very vague, but how much work am I potentially > > > > signing myself up for here if I wanted to create a custom session > > > > manager? > > > > > > > > > > > > Thank you. > > > > > > > > - > > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > > > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: custom session manager
I have never seen that the getRemoteUser method you are referring to returned something userful, or just something other then null. Taken in account different browsers, proxies, internet-cafes... I don't think it's possible. On the other hand, why do you need that? As a matter of security this will not work, because an intruder will simply use a patched browser and a proxy. Maybe if you tell us what you trying to achieve, we can provide you a better solution. regards leon On 10/5/05, Mark <[EMAIL PROTECTED]> wrote: > This is about 90% of what I want. One of the features I want to put > into my session manager is the ability to only have one open session > per user. What I would like is to have a createSession method that > takes in user and host. This way I could be relatively sure that the > user could only have one session at a time. > The way the API looks is I have no way of passing this information > into the createSession method. Is this true? Or do I have to extend > some of the low-level tomcat code in order to make this work? > > TIA for any help you can provide. > > On 9/29/05, Leon Rosenberg <[EMAIL PROTECTED]> wrote: > > check this out: > > > > http://www.niallp.pwp.blueyonder.co.uk/TomcatBug36541.html > > > > The link itself handles a bug, but one of the solutions is to replace > > the std. manager with custom manager with all info you need to > > actually do this. I thin kthis fits your question. > > > > regards > > leon > > > > On 9/29/05, Mark <[EMAIL PROTECTED]> wrote: > > > After using tomcat since the 3.x days, I have been very impressed with > > > the amount of flexibility and configuration options that I have > > > available to me. > > > > > > One part of the tomcat design that I do not believe is very flexible > > > is the ability to set up a custom session manager. So maybe I am > > > missing something, but how would I go about writing this for tomcat? > > > I know I am being very vague, but how much work am I potentially > > > signing myself up for here if I wanted to create a custom session > > > manager? > > > > > > > > > Thank you. > > > > > > - > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: custom session manager
This is about 90% of what I want. One of the features I want to put into my session manager is the ability to only have one open session per user. What I would like is to have a createSession method that takes in user and host. This way I could be relatively sure that the user could only have one session at a time. The way the API looks is I have no way of passing this information into the createSession method. Is this true? Or do I have to extend some of the low-level tomcat code in order to make this work? TIA for any help you can provide. On 9/29/05, Leon Rosenberg <[EMAIL PROTECTED]> wrote: > check this out: > > http://www.niallp.pwp.blueyonder.co.uk/TomcatBug36541.html > > The link itself handles a bug, but one of the solutions is to replace > the std. manager with custom manager with all info you need to > actually do this. I thin kthis fits your question. > > regards > leon > > On 9/29/05, Mark <[EMAIL PROTECTED]> wrote: > > After using tomcat since the 3.x days, I have been very impressed with > > the amount of flexibility and configuration options that I have > > available to me. > > > > One part of the tomcat design that I do not believe is very flexible > > is the ability to set up a custom session manager. So maybe I am > > missing something, but how would I go about writing this for tomcat? > > I know I am being very vague, but how much work am I potentially > > signing myself up for here if I wanted to create a custom session > > manager? > > > > > > Thank you. > > > > - > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: custom session manager
check this out: http://www.niallp.pwp.blueyonder.co.uk/TomcatBug36541.html The link itself handles a bug, but one of the solutions is to replace the std. manager with custom manager with all info you need to actually do this. I thin kthis fits your question. regards leon On 9/29/05, Mark <[EMAIL PROTECTED]> wrote: > After using tomcat since the 3.x days, I have been very impressed with > the amount of flexibility and configuration options that I have > available to me. > > One part of the tomcat design that I do not believe is very flexible > is the ability to set up a custom session manager. So maybe I am > missing something, but how would I go about writing this for tomcat? > I know I am being very vague, but how much work am I potentially > signing myself up for here if I wanted to create a custom session > manager? > > > Thank you. > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
custom session manager
After using tomcat since the 3.x days, I have been very impressed with the amount of flexibility and configuration options that I have available to me. One part of the tomcat design that I do not believe is very flexible is the ability to set up a custom session manager. So maybe I am missing something, but how would I go about writing this for tomcat? I know I am being very vague, but how much work am I potentially signing myself up for here if I wanted to create a custom session manager? Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]