I mentioned this issue (killing browser problem) in a previous posting. The only way to prevent this is to invalidate the original session also in the event that a duplicate login was detected. I can see a possible DOS attack problem with this solution though. Maybe you shouldn't invalidate the original session and make the user call helpdesk to invalidate the original session. This would aid in the tracking of this event also.
Using IP addresses is usually not a good way to detect duplicate logins. I guess this would work in a controlled environment (intranet) where you can guarantee that the user(s) aren't behind a proxy server. It's definetly not an option for a public site. On 6/15/05, Nikola Milutinovic <[EMAIL PROTECTED]> wrote: > David Rickard wrote: > > > Don't know if this is an optimum solution, but it should work: > > Keep a List or Vector of IDs for active users in a shared, > > application-level object (probably ServletContext); > > When someone logs in, search the List for the submitted ID: if not > > present, continue with login sequence; if present, kick them to the > > "duplicate login" page; > > Remove IDs from the List when users log out (and add a > > ServletContextListener to catch people who leave the site without > > logging out--remove their IDs when their sessions time out); > > > This is definitely a correct approach, but it has onw shortcoming. > Suppose one user opens up a session (logs in) and his/her browser dies. > The user opens another browser and tries to login, only to be kicked to > "duplicate user" page. I think in this case, the original poster should > have a vector or a hash map of user names and remote machine names/IPs. > > Nix. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > -- Virtually, Andre Van Klaveren Architect III, SCP Enterprise Transformation Services Unisys Corporation --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
