Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.lang.java.programmer > #5778
| From | "a" <a@mail.com> |
|---|---|
| Newsgroups | comp.lang.java.programmer |
| References | <3giOp.18865$tp.177@newsfe06.iad> <4e0a4776$0$4352$e4fe514c@news.xs4all.nl> <xZAOp.28292$_I7.2396@newsfe08.iad> <4e0af10f$0$4366$e4fe514c@news.xs4all.nl> |
| Subject | Re: handling stale session |
| Message-ID | <7gKOp.905$oL3.751@newsfe13.iad> (permalink) |
| Date | 2011-06-29 11:35 -0700 |
Thank you very much for your reply. You have pointed out the problem of my plan. The reason, that one machine with multiple sessions not allowed, is to avoid attack. Therefore, overwriting the existing session id by the sebsequent one is not an option because someone may able to keep overriding the existing session. No matter whatever reason, the number of sessions should be limited. This is the reason I need a solution for proactive session validity check. "Silvio" <silvio@moc.com> 在郵件 news:4e0af10f$0$4366$e4fe514c@news.xs4all.nl 中撰寫... > If you properly cleanup stale sessions (clear the session flag in the > database in your case) on both timeout and logout then this problem is > solved. At login time you simply demand that the session flag in the > database for that IP is cleared. > > The only problem that remains is that if someone closes his browser > without logging out properly and then tries to login again shortly after > then he will be refused until his previous session finally times out. > This is a general problem with web applications. > There are several workarounds for this problem. One would be to allow > subsequent logins and simply overwrite the session id in the database > for that IP. In the application you then consciously re-check if the > current session id is equal to the one in the database. If not then the > session has been rendered invalid by a subsequent login and you issue a > message and log the session out. > > On 06/29/2011 10:01 AM, a wrote: >> Thanks for your reply. >> I need to check the validity of the session proactively because I only >> allow one session per IP. >> When there is another login request with a duplicated ip, I have to >> determine the validity of the existing session. >> >> >> "Silvio" <silvio@moc.com> 在郵件 >> news:4e0a4776$0$4352$e4fe514c@news.xs4all.nl 中撰寫... >>> Approach this from the other end. Add a listener to the session to hook >>> into the session timeout and cleanup the session. >>> >>> Silvio >>> >>> >>> On 06/28/2011 12:44 PM, a wrote: >>>> Hi >>>> >>>> My question is about handling the stale session caused by user exit >>>> application without logout. I use a table to maintain session info and >>>> user, e.g, session id, user oid. >>>> If the user exits the application without logout properly or the web >>>> server restart, there is a record left on the table. >>>> I am planning to check the validity of the session id on the table when >>>> the user next login. >>>> Is it possible to check whether the session is still alive or not by >>>> telling the session id? >>>> >>>> Thanks >>> >>> >> > >
Back to comp.lang.java.programmer | Previous | Next — Previous in thread | Next in thread | Find similar
handling stale session "a" <a@mail.com> - 2011-06-28 03:44 -0700
Re: handling stale session Silvio <silvio@moc.com> - 2011-06-28 23:28 +0200
Re: handling stale session "a" <a@mail.com> - 2011-06-29 01:01 -0700
Re: handling stale session Silvio <silvio@moc.com> - 2011-06-29 11:31 +0200
Re: handling stale session "a" <a@mail.com> - 2011-06-29 11:35 -0700
Re: handling stale session Silvio <silvio@moc.com> - 2011-06-30 00:12 +0200
csiph-web