禁用基于Web的应用程序的多个用户登录

Question

I'm creating a web based application that requires people to register and login for access to certain pages. I want to stop users from giving out their username/password to other people by denying access to more than one person using the same username at the same time.

Answer 1

Don't know if its a great solution but you can keep a bit in users table and set it to 1 when user is logged in. And check it before login, if its set don't allow more logins by other users. On logout function unset this bit.

Answer 2

In spring security , we can able to manage user login like this,

<session-management>
    <concurrency-control max-sessions="1"/>
</session-management>

So when the time user logged in, you will gonna set some session values, If one more user going to login using existing user logged in ID and password, before going to login condition, check those parameters in the back end. You can able to prevent user login from multiple times for the Same userLogin and Password.

Answer 3

You can use either database or distributed cache.

I prefer using database ( User_ID, SessionKey, LoginTime, Logout time)

After login, you have to record entry in database/cache with a unique session id. When login is attempted with same credentials, update existing entry with logout time and create new entry with recent login time

eg When you login with John,

the entry in table is like 'John','1020edf1','29-06-2015 00:10:00',null.

When second login comes after 10 minutes,

The entries in table will be like this

'John','1020edf1','29-06-2015 00:10:00','29-06-2015 00:20:00' 'John','10asdf21','29-06-2015 00:20:00','null'

Form your application, you can have reaper thread mechanism, which will remove inactive sessions if user tries to logout from the application.

Here session key is unique session id generated by application server.