I have used a combination of ip_address and jsessionid which I store in an active_session table.
Every action they do I check the table - if the ip address changes (ie someone has nicked the session id) then I ditch the record and make em log in again. If the same user logs in again from same IP address I let them right in, no logon required (within a time period). If the same user logs in from another ip address then I bouce the first one off... It stops users using each others passwords as a rule - it's too annoying. The problem is proxies and gateways which mask off original ip addresses. Can't have everything. Jonathan ====================== For ejb and code generation for your Struts web site, visit: http://www.faraway.co.uk/tallsoft/lowroad/ ---------------------------------------- Message History ---------------------------------------- From: Sean Owen <[EMAIL PROTECTED]> on 28/01/2002 09:40 EST Please respond to "Struts Users Mailing List" <[EMAIL PROTECTED]> To: "Struts Users Mailing List" <[EMAIL PROTECTED]> cc: [EMAIL PROTECTED] Subject: Re: Only one logged in session at a time for each user You should store their current session ID in some kind of persistent store, like you say. Then I would suggest that if they log in a second time, that you invalidate the *old* session and let them continue with new one. I've seen that approach used on a large public web site. Sean On Sunday, January 27, 2002, at 08:01 PM, Antony Stace wrote: > Hi > > I want the users in a Struts application to be only logged in > once at any one time. What is the > best way to go about this. I was thinking that I can have have > some sort of record in (an application > wide bean)/(a database record)/(the logon action) that keeps > track of who is logged on and when the log on process > happens this record is checked, if the user is already logged > on then don't let them log on again. The problem > I can see with this is that this works fine if the user logs > out of the application through a logout > action - the logout action can simply clear the record of the > user being logged in. But if the users browser crashes, they > reboot > the machine, they simply restart the browser then this record > will not be cleared and thus they will not be able to log in. > I cannot think of how I can > implement a mechanism to ensure only one log in at a time. The > thought of adding some sort of timeout value > seems a little nasty, since I hate it when I go to a site and I > am told I am alread logged in, please try back in > 10 minutes. > > Any ideas folks on how to handle this? > > > -- > > > Cheers > > Tony > --------------------------------------------------------------------- > > > _________________________________________________________ > Do You Yahoo!? > Get your free @yahoo.com address at http://mail.yahoo.com > > > -- > To unsubscribe, e-mail: <mailto:struts-user- > [EMAIL PROTECTED]> > For additional commands, e-mail: <mailto:struts-user- > [EMAIL PROTECTED]> > _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> -- This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden. -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>