Re: Avoid multiple logon..

From: marcus (marcus_at_welby.com)
Date: 07/08/04 

Date: Wed, 07 Jul 2004 22:02:46 -0700

Gurudev -- your first post and your followup say entirely different
things. Your first post said "The real issue here is that need to
ENSURE that a user does not logon more than once" in very emphatic
language. the second said "we do not want any user to
> share his UID/PWD with others and abuse the system"

the second one is easy, and has many solutions that do not involve
preventing duplicate logins so much as choosing how to react to them --
which, btw, is a marketing decision rather than a programming decision.
  One solution is to kill the existing connection on a new login. if he
gives away his pwd he screws himself. I have used this myself by
handing the connection off to another servlet to manage, and it worked
extremely well in a development environment.

alternately you can simply log the duplicate login event and sweep the
logs for possible abuse, which is the most friendly method because it
allows for human interpretation and interaction with the user.

You could prevent duplicate logins, but have the user jump through a
hoop to reset (like in the case of a crash), like follow a link and
reply to an email. I had a system like this once where I had to make a
phone call and keypad my pin to reset the system and have a new pdw issued.

-- clh

Gurudev wrote:
> Hello Paul,
>
> Thanks for your response. I believe in my situation it would make
> perfect sense to avoid multiple logins by the same user. See we offer
> live streaming content over the net and we do not want any user to
> share his UID/PWD with others and abuse the system. So there needs to
> be a way that the last authenticated user retires/expires his previous
> logon ( ..do I make sense? )
>
> The only way I see this happening is with session persistance, which
> I've heard to be very memory intensive ..so any other options?
>
> Anyways, thanks for all your responses.
>
> TIA
> Guru.
>
> Paul Ilechko <plechik@us.ibm.com> wrote in message news:<cc2946$asps$1@news.boulder.ibm.com>...
>
>>Gurudev wrote:
>>
>>
>>>I have been reading all I can about Sessions and Tracking but in vain.
>>>Herez the deal:
>>>
>>>I have been using cookies for session tracking. I had to resort to
>>>cookies because httpsessions are not feasible
>>>since my env. is Websphere5 ND. There is no guarantee that the session
>>>is replicated across
>>>appliacation servers in a clustered env.
>>
>>If you use session persistence there absolutely is such a guarantee.
>>
>>
>>>The real issue here is that need to ENSURE that a user does not logon
>>>more than once ..In simple avoid
>>>multiple login. On a successful 2nd logon I would like to terminateb I
>>>know this can be achieved by doing a DB read on every
>>>page forwards/action. I want to avoid DB dips since this will affect
>>>the performance of my appln. By the way, I am using struts framework
>>>for the web app.
>>>
>>>Is there any other way , In which the above can be achieved?
>>
>>This is absolutely not worth even attempting. So what if a user logs in
>>more than once? Trying to prevent it is going to lead you into a whole
>>mess of problems. Firstly, there is no connection between security login
>>and session management - destroying the session does NOT log a user out
>>from a WAS security perspective, as the ltpa token is still in the
>>browser and still valid. Secondly, what happens if a user's browser or
>>PC crashes? They haven't logged out, but they have no security
>>credential. If you prevent them from logging in again because you think
>>they are still logged on you are going to generate a whole bunch of
>>calls to your helpdesk. This is just a dumb idea.
>