Re: NullPointerException from HttpSessionFacade.invalidate()

[Craig R. McClanahan]

Gokul Singh wrote: Hans Bergsten wrote: > [...] > The spec may not be explicit enough about this, but the session object > you get back from the getSession() object is a container-managed object > that the application is not supposed/allowed to keep long-lived > references > to. It's the same as with all other container-objects made available to > the > application; request, response, JSP tag handlers, etc.> I'm not sure why you're keeping references to the session objects in > you're application, but if you describe what you're trying to do I'm > sure I can give you a hint about another way to accomplish the same > thing without the problems you have with your current solution.  I am trying to disallow a single user to have multiple login sessions valid at any given time. I have to enforce this even if the user tried to login from two different machines.Can you suggest a solution for this which works on tomcat 3.2.1 and uses servlet specs 2.2 only.   Regds,Gokul When I had to do something similar, I maintained a Hashtable in a servlet context attribute that was keyed by username rather than by session id.  My login logic (that processed the username and password) checked for the username already being in this Hashtable, and disallowed a login if it was already there.  For logout, I also stuck in a session attribute which implemented HttpSessionBindingListener, so that I could remove this user's entry when the current session was invalidated. As others will undoubtedly point out, you still get to face the usual set of issues when a user has multiple windows open on the same client machine. Craig