Prevent multiple login using the same user name and password

Question

I am developing an application that needs to prevent multiple login using the same user name and password.

If it happens on the same machine then obviously we need t

Answer 1

How to identify whether browser is still active or not?

Make a dummy ajax call on every minute and record the status in HttpSession against the User, session id and along with the time of last call. When the same user logins with new session, check against the user in HttpSession and check time if it exceeds more
than a minute, it means that the previous browser is closed/ not active.

Note: Time setting as per your requirement (in my case its 1 minute).

Along with above condition check, add code mentioned in the comment "If user close the browser without logout."

public class User implements HttpSessionBindingListener 

Answer 2

Use the token

When user logins success, the server side returns a token string to client/browser side, and server side saves a map with userID - token. The client repeatedly checks/requests to server with that token, if the token is not same, this user logs multiply times.

When logoff, it saves the token into cookies or file system in the client side, and brings this token when loging next time.

Table:

userid:token:log_date

Answer 3

Take one extra field in table with the column name say "IsLoggedIn" as bit field and set it to true until the user is logged in. As soon as user logs out set it to false. This need to be done for session expiry time also. As soon as the session expires this field should be set to false automatically using triggers or thru SP call

good solution is still welcome

Answer 4

I'd track each user's last known IP address and a timestamp for when they were last on that IP. Then you can just block access from other IPs for 5 minutes, an hour, or whatever you like.

Whenever the IP address switches, you can a) expire the user's old session, so they're forced to log back in and b) increment a per-user counter (which you can zero out every hour). If the counter goes above 5 (or something), you can block all access to the user's account for a longer period of time.

Answer 5

I would also advise for Shantanu Gupta's solution - have a database column indicating the the user is currently logged, and update that column accordingly.

In order to 'capture' session expiration, you need to define in your web.xml:

<listener>
   <listener-class>com.foo.MySessionListener</listener-class>
</listener>

Where MySessionListener is your implementation of the HttpSessionListener interface (provided by the Servlet API).

Answer 6

I have implemented a possible solution for myself,

in the loginFilter I use, I set a lastloggedin, userloggedin and userSession within the user record on my system.

            user.setUser_lastlogged(new Date());
            user.setUser_loggedin(true);
            user.setSessionId(request.getSession().getId());
            appService.saveUsers(user);

so when i go to any of my struts2 actions i have a snippet of code in the prepare method.

@Override
public void prepare() throws Exception {
    UsersBase usercheck = appservice.getUserByUsername((String)request.getSession().getAttribute("j_username"));
    if(request.getSession().getId().equals(usercheck.getSessionId())){
        request.getSession().invalidate();
    }

}

This will log the user out when they login on another machine, or if you don't want to log them in i could do the following on the loginFilter

 UsersBase userdto = appService.getUserByUsername(username);
        if (userdto != null) {
            if ((userdto.getUser_loggedin())) {
                if (request.getSession().getId().equals(userdto.getSessionId())) {
                    authRequest.eraseCredentials();
                    request.getSession().setAttribute("error", "You are already logged in ");
                } 
            }
        }