Only one user is allowed to log on to the system on the same computer.

Source: Internet
Author: User
In web application systems, for security reasons, it is often necessary to limit the number of users logging on to the same client and the number of users logging on to multiple clients at the same time. Specifically:

1. Only one user can log on to the system on the same computer at a time. 2. One user can only log on to one client at a time.

A system I recently developed has encountered such a problem. The system has been developed, but the security evaluation has not passed, because there are no restrictions. How can this restriction be implemented? I have been searching for this online for a long time and found that many people have asked this question, but I have not found any clear answer. Later, I found myself, read some books, and finally found a solution.

It is not difficult to solve this problem. It may be too difficult for the experts to talk about it, but it may be difficult for people who are not familiar with Web programming for a long time. Next I will explain my solutions for your reference!

First, let's introduce the background of my system: J2EE, tomcat, and no cookie.

First, determine the basic ideas for solving these two problems:

1. There is only one way to allow only one user to log on to the system on the same computer. Monitor the source of each connection. If a new connection and an existing connection come from the same computer, terminate one of them (you can also remind the user, let him decide which one to terminate ).

2. to prohibit a user account from logging on to different clients at the same time, only the user account that monitors each connection must be disabled, if you find that the user account for a new connection is the same as the user account for an existing connection, the previous one is automatically terminated (you can also decide which one to terminate ).

After determining the basic idea, we need to find a specific method. My initial idea was to create a table in the database to store the username, physical address, session ID, and other information of the logged-on user. When a user logs on, it matches the data in this table. If the physical address is the same as a record in the table, it indicates that multiple users log on to the same client, if you find that the username of the user you are logging on to is the same as that in the table, but the host name is different, it means that an account is used on different clients at the same time.

I believe that many people who encounter this problem will consider this solution. However, there are many problems with this method. There are two major problems: efficiency. Each time, data is retrieved from the database for matching. The second is that you need to delete the records in the table when exiting, but it is difficult to monitor the records in a timely manner when the user exits abnormally (it was found that there was a way to monitor the records later ).

Later, in a post on the Internet, I saw a Daxia talking about using a listener, but the Daxia was too vague to solve the problem. Although it cannot be solved, it provides an idea. So I found a book and carefully read the part about the listener. The solution is here !!!

For more information about listeners, see my next blog. Here we will first tell you the solution:

The listener can listen to the session and its attributes, that is, attribute.

So what we need to do is:

1. Create a listener to implement the httpsessionattributelistener interface and listen on adding, editing, and deleting events for each attribute. The listener also creates a map to put all sessions into this map.

2. When a user logs on, the user name, physical address, and session ID are stored in the session (a user login address data transmission object can be created. I created a usersessionadd class, which contains username, macadd and sessionid attributes. When a user logs on, the data object is initialized and stored in the session ).

3. When each new session is enabled, the listener determines the attributes contained in the session. If the new attributes are the same as the user logon address data of the existing session in the map, it indicates that the new session conflicts with the two restrictions we have to make. Extract conflicting sessions and destroy them!

This is not clear enough. Let's look at the code below:

Web. xml

<Listener>
<Listener-class> complete listener path </listener-class>
</Listener>


 

User Login address data transmission object:

Public class usersession {

Private string ADDR;

Private string sessid;

Private string username;

Public String getaddr (){
Return ADDR;
}

Public void setaddr (string ADDR ){
This. ADDR = ADDR;
}

Public String getsessid (){
Return sessid;
}

Public void setsessid (string sessid ){
This. sessid = sessid;
}

Public String GetUserName (){
Return username;
}

Public void setusername (string username ){
This. Username = username;
}

}


 

User Logon code:

Httpsession session = request. getsession ();

String Userhost = request. getremotehost ();

String sessionid = request. getsession (). GETID ();

Usersession = new usersession ();

Usersession. setusername (user. GetUserName ());

Usersession. setsessid (sessionid );

Usersession. setaddr (Userhost );

Request. getsession (). setattribute ("usersession", usersession );


 

Listener code:



Import java. util. hashmap;
Import java. util. Map;

Import javax. servlet. http. httpsession;
Import javax. servlet. http. httpsessionattributelistener;
Import javax. servlet. http. httpsessionbindingevent;

Public class loginlistenner implements httpsessionattributelistener {

Map <string, httpsession> map = new hashmap <string, httpsession> ();

Public void attributeadded (httpsessionbindingevent event ){
String name = event. getname ();

If (name. Equals ("usersession ")){

Usersession = (usersession) event. getvalue ();

If (Map. Get (usersession. GetUserName ())! = NULL ){

Httpsession session = map. Get (usersession. GetUserName ());

Session. removeattribute ("usersession ");

Session. invalidate ();
}
Map. Put (usersession. GetUserName (), event. getsession ());
}

}

Public void attributeremoved (httpsessionbindingevent event ){
String name = event. getname ();

If (name. Equals ("usersession ")){

Usersession = (usersession) event. getvalue ();

Map. Remove (usersession. GetUserName ());

}
}

Public void attributereplaced (httpsessionbindingevent event ){
// Todo auto-generated method stub

}

}


Only one user is allowed to log on to the system on the same computer.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.