a much simpler way is to set a guid in both a cookie and session every time they login, then on every request make sure the guid matches. if it doesnt it means its a stale login.
-igor On Wed, Mar 2, 2011 at 11:33 AM, shetc <sh...@bellsouth.net> wrote: > Hi All, > > Following a security assessment, I have been asked to tighten the security > in > a Wicket-based web application. In particular, I need to prevent a user from > having concurrent logins to the app. I would like to know if there is a > preferred > "Wicket Way" of implementing this feature. Reviewing the Wicket forum, it > seemed > like the approach would be to extend SecondLevelCacheSessionStore, and use > its > onBind template method to catch when a session is created. In onBind, use > the > RequestLogger to look through all the live sessions to determine if the user > has multiple sessions. But I think I saw a comment that this won't work in > a clustered environment. Is there a better way to clear extra user sessions? > > Thanks very much, > Steve > > P.S. Using v1.4.9 > > -- > View this message in context: > http://apache-wicket.1842946.n4.nabble.com/How-to-stop-concurrent-logins-tp3332127p3332127.html > Sent from the Users forum mailing list archive at Nabble.com. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org > For additional commands, e-mail: users-h...@wicket.apache.org > > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
