Re: Single terminal login

[Martin Tsachev <shaggy () vip bg>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Saturday 14 February 2004 14:58, stevenr () mastek com wrote:
> Hi
>
> I have worked with web based applications since quite some time. One issue
> to which I have not found a satisfactory answer yet is that of a problem
> with Single Terminal Login in a web based application.
>
> By Single Terminal Login, I mean that if one user logs into a web
> application (say JSP based), s/he should not be able to login from another
> machine or even another browser from the same machine. This can be achieved
> easily by setting a "logged in" flag on the server side using a DB or LDAP
> etc. When the user clicks on the Logout link, the flag is reset and only
> then the user can login from another browser/window. Now the hitch. If the
> user closes the browser directly, or the power goes out, or browser hangs
> and has to be killed, the flag remains as "logged in". In short user cannot
> login into the system again. The one workaround used commonly, is setting a
> timeout after which the user can login again, where a "last active time" is
> maintained for each user. Every login request is cross-checked against this
> time and if the difference is greater than some threshold value, the user
> is able to login again.  But this means that everytime the user does
> something the "last active time" will have to be updated, which will be
> expensive in a high traffic site. Also, the threshold value is always a hot
> topic of debate :-)
>
> Does anyone know a better or a different approach to this? Would be helpful
> if someone knows some site/papers for this. Have googled but havent come
> across any myself.

Hi Steeve,

this is what I'd do:

use a session cookie for the login session.
set another cookie (random value) in the browser for a period that's longer 
than the timeout, say if timeout is 1 hour, set it to 1 day

when someone logs in that is already flagged as logged in:
check if 2nd cookie matches, if yes let him in
if not display error

if next time they use another browser the 1hour timeout will be already 
expired and you'll regenerate cookies


> - Steve
>
> "He who laughs last probably made a backup..."
>
>
>
> MASTEK
> "Making a valuable difference"
> Mastek in NASSCOM's 'India Top 20' Software Service Exporters List.
> In the US, we're called MAJESCO
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Opinions expressed in this e-mail are
> those of the individual and not that of Mastek Limited, unless specifically
> indicated to that effect. Mastek Limited does not accept any responsibility
> or liability for it. This e-mail and attachments (if any) transmitted with
> it are confidential and/or privileged and solely for the use of the
> intended person or entity to which it is addressed. Any review,
> re-transmission, dissemination or other use of or taking of any action in
> reliance upon this information by persons or entities other than the
> intended recipient is prohibited. This e-mail and its attachments have been
> scanned for the presence of computer viruses. It is the responsibility of
> the recipient to run the virus check on e-mails and attachments before
> opening them. If you have received this e-mail in error, kindly delete this
> e-mail from all computers.
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

- -- 
Martin Tsachev
http://martin.f2o.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFAL4Ptypytlz9Py3wRAl/6AJ4geK/UGuHxI6C5XftvVXJu1rUvfwCggUsN
raF8W9mYw/mb1txgciG/zyc=
=3TIl
-----END PGP SIGNATURE-----