[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
Re: [jetty-users] HttpSession object lifetime
|
Thank you Jan,
I already use a very short timeout combined with a browser side
heartbeat but the requirement in this case is that users can not be
allowed to be able to work from multiple sessions at the same time. I
think I will try something like your second suggestion invalidating the
earlier sessions on the first subsequent request.
Cheers,
Silvio
On 4/30/21 2:04 AM, Jan Bartel wrote:
Hi Silvio,
The HttpSession is a server object and thus its lifecycle is managed
by the server. Applications should not try and hold references to
these objects, as you've discovered ;)
There isn't an api provided by the spec that would allow you to
randomly access any session by its id. I wouldn't encourage you to try
and use any jetty-specific apis to do that either, as once again you
could wind up in a mess trying to manage session lifecycles that are
designed to be managed by the container. So I don't see any easy way
of proactively invalidating and removing a session that is not part of
the current request.
Instead, you could investigate an approach like:
+ set a reasonably short timeout on sessions (tuned to your app's
usage): if the user logs in again somewhere else and never refers to
that session again, it will timeout
+ keep a map of user -> sessionid that is the currently "valid" one,
and use a filter in your app to check if the user,sessionid tuple of
the current request is in that map; if not, invalidate the session or
just reject the request and let the session timeout
An alternative approach would be to do a custom LoginService or jaas
LoginModule that prevented a subsequent login if the user is already
logged in. You would still need to manage and consult your own map of
logged-in users.
cheers
Jan