-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Josh,
On 10/20/2009 9:19 AM, Josh Gooding wrote: > I am using a realm for this. I decided that the best route to go on this is > if a user is actively logged in and tries to log in again (while already > authenticated) to invalidate the 'other' session and continue on, that way > of the browser dies, they can still get in. I have however not clue one on > how to do this. What is put in the session upon authentication that I could > have my code look for to invalidate the "other" live session? There is nothing put into the session to help you with this: your web application will have to provide all of the marking and plumbing required to fulfill this requirement. A suggestion: 1. Modify your realm to place a token into the session to identify the user. Also, register the session with a session registry you maintain that tracks user -> session. 2. Implement an HttpSessionListener, where the sessionDestroyed method removes the session from your registry. 3. When a user tries to login, your realm can look up in this registry for any existing sessions and call invalidate() on them. You can do this in a slightly less invasive way if you decide that the request's Principal is sufficient for identification. You can write a Filter that stores the requests's principal in the session (if they both exist) and then write an HttpSessionListener that does the mapping. Any time a session is created with an already-known principal, you kill the previous one. Hmm.... there may be some timing problems with this (because the session is created before you are able to stuff he requests' Principal into it...). You may have to play around with this a bit. Good luck, - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkrd1C4ACgkQ9CaO5/Lv0PA75QCfYSmWaZs9RlcZ/Cdzs41Bex1J ryIAn3hOmk8a6Ul4meqOuKMpGPzcQDvq =QNQO -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
