发表新帖
发表新帖

Prevent multiple login using the same user name and password

前端 未结
关注
12 2586
栀梦
栀梦 2020-11-29 22:03

I am developing an application that needs to prevent multiple login using the same user name and password.

If it happens on the same machine then obviously we need t

12条回答
  • 旧时难觅i
    旧时难觅i (楼主)
    2020-11-29 22:22

    If user close the browser without logout.

    Particularly this case is hard and not reliable to detect. You could use the beforeunload event in Javascript, but you're fully dependent on whether the browser has JS enabled and the particular browser supports this non-standard event (e.g. Opera doesn't). That's also one of the major reasons that I'd suggest to just logout the previously logged in user instead of preventing the login. That's also more user-friendly and secure for the case that the user "forgot" to logout from the other computer.

    Easiest way is to let the User have a static Map variable and let it implement HttpSessionBindingListener (and Object#equals() and Object#hashCode()).

    public class User implements HttpSessionBindingListener {

    // All logins.
    private static Map logins = new HashMap();

    // Normal properties.
    private Long id;
    private String username;
    // Etc.. Of course with public getters+setters.

    @Override
    public boolean equals(Object other) {
        return (other instanceof User) && (id != null) ? id.equals(((User) other).id) : (other == this);
    }

    @Override
    public int hashCode() {
        return (id != null) ? (this.getClass().hashCode() + id.hashCode()) : super.hashCode();
    }

    @Override
    public void valueBound(HttpSessionBindingEvent event) {
        HttpSession session = logins.remove(this);
        if (session != null) {
            session.invalidate();
        }
        logins.put(this, event.getSession());
    }

    @Override
    public void valueUnbound(HttpSessionBindingEvent event) {
        logins.remove(this);
    }

}

    When you login the User as follows:

    User user = userDAO.find(username, password);
if (user != null) {
    request.getSession.setAttribute("user", user);
} else {
    // Show error.
}

    then it will invoke the valueBound() which will remove any previously logged in user from the logins map and invalidate the session.

    When you logout the User as follows:

    request.getSession().removeAttribute("user");

    or when the session is timed out, then the valueUnbound() will be invoked which removes the user from the logins map.

    0 讨论(0)
 看不清?
提交回复
热议问题