handling stale session

Discussion in 'Java' started by a, Jun 28, 2011.

  1. a

    a Guest

    Hi

    My question is about handling the stale session caused by user exit
    application without logout. I use a table to maintain session info and user,
    e.g, session id, user oid.
    If the user exits the application without logout properly or the web server
    restart, there is a record left on the table.
    I am planning to check the validity of the session id on the table when the
    user next login.
    Is it possible to check whether the session is still alive or not by telling
    the session id?

    Thanks
    a, Jun 28, 2011
    #1
    1. Advertising

  2. a

    Silvio Guest

    Approach this from the other end. Add a listener to the session to hook
    into the session timeout and cleanup the session.

    Silvio


    On 06/28/2011 12:44 PM, a wrote:
    > Hi
    >
    > My question is about handling the stale session caused by user exit
    > application without logout. I use a table to maintain session info and
    > user, e.g, session id, user oid.
    > If the user exits the application without logout properly or the web
    > server restart, there is a record left on the table.
    > I am planning to check the validity of the session id on the table when
    > the user next login.
    > Is it possible to check whether the session is still alive or not by
    > telling the session id?
    >
    > Thanks
    Silvio, Jun 28, 2011
    #2
    1. Advertising

  3. a

    a Guest

    Thanks for your reply.
    I need to check the validity of the session proactively because I only allow
    one session per IP.
    When there is another login request with a duplicated ip, I have to
    determine the validity of the existing session.


    "Silvio" <> ¦b¶l¥ó
    news:4e0a4776$0$4352$4all.nl ¤¤¼¶¼g...
    > Approach this from the other end. Add a listener to the session to hook
    > into the session timeout and cleanup the session.
    >
    > Silvio
    >
    >
    > On 06/28/2011 12:44 PM, a wrote:
    >> Hi
    >>
    >> My question is about handling the stale session caused by user exit
    >> application without logout. I use a table to maintain session info and
    >> user, e.g, session id, user oid.
    >> If the user exits the application without logout properly or the web
    >> server restart, there is a record left on the table.
    >> I am planning to check the validity of the session id on the table when
    >> the user next login.
    >> Is it possible to check whether the session is still alive or not by
    >> telling the session id?
    >>
    >> Thanks

    >
    >
    a, Jun 29, 2011
    #3
  4. a

    Silvio Guest

    If you properly cleanup stale sessions (clear the session flag in the
    database in your case) on both timeout and logout then this problem is
    solved. At login time you simply demand that the session flag in the
    database for that IP is cleared.

    The only problem that remains is that if someone closes his browser
    without logging out properly and then tries to login again shortly after
    then he will be refused until his previous session finally times out.
    This is a general problem with web applications.
    There are several workarounds for this problem. One would be to allow
    subsequent logins and simply overwrite the session id in the database
    for that IP. In the application you then consciously re-check if the
    current session id is equal to the one in the database. If not then the
    session has been rendered invalid by a subsequent login and you issue a
    message and log the session out.

    On 06/29/2011 10:01 AM, a wrote:
    > Thanks for your reply.
    > I need to check the validity of the session proactively because I only
    > allow one session per IP.
    > When there is another login request with a duplicated ip, I have to
    > determine the validity of the existing session.
    >
    >
    > "Silvio" <> ¦b¶l¥ó
    > news:4e0a4776$0$4352$4all.nl ¤¤¼¶¼g...
    >> Approach this from the other end. Add a listener to the session to hook
    >> into the session timeout and cleanup the session.
    >>
    >> Silvio
    >>
    >>
    >> On 06/28/2011 12:44 PM, a wrote:
    >>> Hi
    >>>
    >>> My question is about handling the stale session caused by user exit
    >>> application without logout. I use a table to maintain session info and
    >>> user, e.g, session id, user oid.
    >>> If the user exits the application without logout properly or the web
    >>> server restart, there is a record left on the table.
    >>> I am planning to check the validity of the session id on the table when
    >>> the user next login.
    >>> Is it possible to check whether the session is still alive or not by
    >>> telling the session id?
    >>>
    >>> Thanks

    >>
    >>

    >
    Silvio, Jun 29, 2011
    #4
  5. a

    a Guest

    Thank you very much for your reply.
    You have pointed out the problem of my plan.
    The reason, that one machine with multiple sessions not allowed, is to avoid
    attack.
    Therefore, overwriting the existing session id by the sebsequent one is not
    an option because someone may able to keep overriding the existing session.
    No matter whatever reason, the number of sessions should be limited.
    This is the reason I need a solution for proactive session validity check.



    "Silvio" <> ¦b¶l¥ó
    news:4e0af10f$0$4366$4all.nl ¤¤¼¶¼g...
    > If you properly cleanup stale sessions (clear the session flag in the
    > database in your case) on both timeout and logout then this problem is
    > solved. At login time you simply demand that the session flag in the
    > database for that IP is cleared.
    >
    > The only problem that remains is that if someone closes his browser
    > without logging out properly and then tries to login again shortly after
    > then he will be refused until his previous session finally times out.
    > This is a general problem with web applications.
    > There are several workarounds for this problem. One would be to allow
    > subsequent logins and simply overwrite the session id in the database
    > for that IP. In the application you then consciously re-check if the
    > current session id is equal to the one in the database. If not then the
    > session has been rendered invalid by a subsequent login and you issue a
    > message and log the session out.
    >
    > On 06/29/2011 10:01 AM, a wrote:
    >> Thanks for your reply.
    >> I need to check the validity of the session proactively because I only
    >> allow one session per IP.
    >> When there is another login request with a duplicated ip, I have to
    >> determine the validity of the existing session.
    >>
    >>
    >> "Silvio" <> ¦b¶l¥ó
    >> news:4e0a4776$0$4352$4all.nl ¤¤¼¶¼g...
    >>> Approach this from the other end. Add a listener to the session to hook
    >>> into the session timeout and cleanup the session.
    >>>
    >>> Silvio
    >>>
    >>>
    >>> On 06/28/2011 12:44 PM, a wrote:
    >>>> Hi
    >>>>
    >>>> My question is about handling the stale session caused by user exit
    >>>> application without logout. I use a table to maintain session info and
    >>>> user, e.g, session id, user oid.
    >>>> If the user exits the application without logout properly or the web
    >>>> server restart, there is a record left on the table.
    >>>> I am planning to check the validity of the session id on the table when
    >>>> the user next login.
    >>>> Is it possible to check whether the session is still alive or not by
    >>>> telling the session id?
    >>>>
    >>>> Thanks
    >>>
    >>>

    >>

    >
    >
    a, Jun 29, 2011
    #5
  6. a

    Silvio Guest

    I am afraid you still don't get it. Doing it the way I proposed will
    allow you to limit the number of session per IP to 1. The workaround I
    described would only be appropriate if the restriction would be less
    harsh. What you want is the simplest scenario (and has the drawback that
    people may lock themselves out for some time (by not logging out properly).

    There is no way to distinguish a session that is no longer reachable by
    its user from an active session. A session is either active or it has
    been invalidated, either by timeout or by explicit logout by the
    application.

    Silvio


    On 06/29/2011 08:35 PM, a wrote:
    > Thank you very much for your reply.
    > You have pointed out the problem of my plan.
    > The reason, that one machine with multiple sessions not allowed, is to
    > avoid attack.
    > Therefore, overwriting the existing session id by the sebsequent one is
    > not an option because someone may able to keep overriding the existing
    > session.
    > No matter whatever reason, the number of sessions should be limited.
    > This is the reason I need a solution for proactive session validity check.
    >
    >
    >
    > "Silvio" <> ¦b¶l¥ó
    > news:4e0af10f$0$4366$4all.nl ¤¤¼¶¼g...
    >> If you properly cleanup stale sessions (clear the session flag in the
    >> database in your case) on both timeout and logout then this problem is
    >> solved. At login time you simply demand that the session flag in the
    >> database for that IP is cleared.
    >>
    >> The only problem that remains is that if someone closes his browser
    >> without logging out properly and then tries to login again shortly after
    >> then he will be refused until his previous session finally times out.
    >> This is a general problem with web applications.
    >> There are several workarounds for this problem. One would be to allow
    >> subsequent logins and simply overwrite the session id in the database
    >> for that IP. In the application you then consciously re-check if the
    >> current session id is equal to the one in the database. If not then the
    >> session has been rendered invalid by a subsequent login and you issue a
    >> message and log the session out.
    >>
    >> On 06/29/2011 10:01 AM, a wrote:
    >>> Thanks for your reply.
    >>> I need to check the validity of the session proactively because I only
    >>> allow one session per IP.
    >>> When there is another login request with a duplicated ip, I have to
    >>> determine the validity of the existing session.
    >>>
    >>>
    >>> "Silvio" <> ¦b¶l¥ó
    >>> news:4e0a4776$0$4352$4all.nl ¤¤¼¶¼g...
    >>>> Approach this from the other end. Add a listener to the session to hook
    >>>> into the session timeout and cleanup the session.
    >>>>
    >>>> Silvio
    >>>>
    >>>>
    >>>> On 06/28/2011 12:44 PM, a wrote:
    >>>>> Hi
    >>>>>
    >>>>> My question is about handling the stale session caused by user exit
    >>>>> application without logout. I use a table to maintain session info and
    >>>>> user, e.g, session id, user oid.
    >>>>> If the user exits the application without logout properly or the web
    >>>>> server restart, there is a record left on the table.
    >>>>> I am planning to check the validity of the session id on the table
    >>>>> when
    >>>>> the user next login.
    >>>>> Is it possible to check whether the session is still alive or not by
    >>>>> telling the session id?
    >>>>>
    >>>>> Thanks
    >>>>
    >>>>
    >>>

    >>
    >>

    >
    Silvio, Jun 29, 2011
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Jeff Nokes

    Cache::Cache Stale Segments

    Jeff Nokes, Sep 30, 2003, in forum: Perl
    Replies:
    0
    Views:
    573
    Jeff Nokes
    Sep 30, 2003
  2. John Rivers

    Stale Forms

    John Rivers, Sep 2, 2005, in forum: ASP .Net
    Replies:
    1
    Views:
    554
    Tim_Mac
    Sep 7, 2005
  3. Replies:
    0
    Views:
    387
  4. Timo Nentwig

    stale objects in collections

    Timo Nentwig, Aug 21, 2006, in forum: Java
    Replies:
    9
    Views:
    497
    Patricia Shanahan
    Aug 22, 2006
  5. Replies:
    0
    Views:
    321
Loading...

Share This Page