在 Java Web Apps 中注销旧会话并继续使用相同的用户 ID 和密码进入新会话

声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow 原文地址: http://stackoverflow.com/questions/10135308/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me): StackOverFlow

提示:将鼠标放在中文语句上可以显示对应的英文。显示中英文
时间:2020-10-30 23:44:22  来源:igfitidea点击:

logging out old session and and continuing in new session with same user ID and Password in Java Web Apps

javasessionjakarta-eeweb-applications

提问by user1126046

Suppose a person is logged in with user id and password in an app. Now with same user id and password he is trying to log without logging out from first session. I want to make it that it willlog out from and first session and continue with new one automatically.

假设有人在应用程序中使用用户 ID 和密码登录。现在,使用相同的用户 ID 和密码,他尝试登录而不从第一个会话中注销。我想让它从第一个会话中注销并自动继续新的会话。

Struts2, JSP , Java are technologies , i m using for my apps.

Struts2、JSP、Java 是技术,我用于我的应用程序。

Problems facing

面临的问题

  1. IE 8 giving same session id in same machine if we open in new tab or window. Not able to differentiate between different login from same machine. How to set own session id?
  2. Banking application like SBI sites and all works like that only , how does it work real time?
  3. I want to replicate same thing like SBI bank sites work on online transaction. Send message session out in first window if you open again in new window
  1. 如果我们在新选项卡或窗口中打开,IE 8 会在同一台机器上提供相同的会话 ID。无法区分来自同一台机器的不同登录。如何设置自己的会话ID?
  2. 像 SBI 站点之类的银行应用程序都只能这样工作,它是如何实时工作的?
  3. 我想复制与 SBI 银行网站在线交易相同的东西。如果您在新窗口中再次打开,则在第一个窗口中发送消息会话

Please let me know how does this logging part in details. Thanks.

请让我知道此日志记录部分的详细信息。谢谢。

This is my filter

这是我的过滤器

public void doFilter(ServletRequest request, ServletResponse response,
        FilterChain chain) throws IOException, ServletException {
    System.out.println("FirstFilter : In filter doFilter before doFilter...");
    HttpServletRequest req = (HttpServletRequest) request ;
    HttpServletResponse res = (HttpServletResponse) response ;

    HttpSession session = req.getSession(false);

    String userId=req.getParameter("username");
    String password=req.getParameter("password");
    System.out.println(" : : " + req.getParameter("username")) ;
    System.out.println(" : " + req.getServletPath());


    LoggedInUserVO userProfVOSession = null ;
    if(session != null) {
    String  sessionId=session.getId();
        userProfVOSession = (LoggedInUserVO)session.getAttribute("LoggedInUser") ;
        //check for login id password and session for single user sign in
        if(null!=userProfVOSession){
        if(userProfVOSession.getUserName().equalsIgnoreCase(userId) && userProfVOSession.getUserPassword().equals(password) && userProfVOSession.getSessionId().equals(sessionId)){
            //do nothing
        }
        else{
            System.out.println("in duplicate");
        }
        }
    }       

    if(userProfVOSession == null) {
        if("/populatelogin.action".equals(req.getServletPath()) || "/login.action".equals(req.getServletPath())||"/images/Twalk-Logo-4-green.png".equals (req.getServletPath())||"css/twalk.css".equals( req.getServletPath() )) {
            chain.doFilter(req, res) ;
        } else {
            req.getRequestDispatcher("Entryindex.jsp").forward(req, res) ;
        }
    } else {
        chain.doFilter(req, res) ;
    }

回答by UVM

Basically your requirement leads to web security vulnerability.If a person is already logged in, then his session must be active.Now the scenario is like this:

基本上你的要求会导致网络安全漏洞。如果一个人已经登录,那么他的会话必须是活跃的。现在的场景是这样的:

If you tries to login again with the same credentials, he wll be automatically logged in. If you want to kill the old session for every login, then what you need to do is , you need to get a new session every time when you login, so your old session will be expired.You can achieve this by just writing a filter.In this filter check whether the user is already associated with a session or not, if yes, then invalidate his current session and start new one.This will solve the issue of multiple login attempts.

如果您尝试使用相同的凭据再次登录,他将自动登录。 如果您想每次登录都杀死旧会话,那么您需要做的是,每次登录时都需要获取新会话,因此您的旧会话将过期。您可以通过编写过滤器来实现这一点。在此过滤器中检查用户是否已经与会话相关联,如果是,则使他的当前会话无效并开始新的会话。这将解决多次登录尝试的问题。

Remember that when a session is initiated, then the server is sending a cookie back to the user.Henceforth for every subsequent request made, this cookie will be transmitted to the server. Even if that if you open multiple tabs in browsers, this same cookie only is sent back to the server.

请记住,当会话开始时,服务器会向用户发送一个 cookie。此后对于每个后续请求,此 cookie 将被传输到服务器。即使您在浏览器中打开多个选项卡,也只会将相同的 cookie 发送回服务器。

Hope I understood this.

希望我明白这一点。