Keeping track of multiple sessions

[relisys]

I'm developing a web system using servlets that allows users to log in. When they log in they are assigned a HTTP session ID, and every time the access a new page (via a new servlet) the time between the last access from that session and the curretn time is checked. If its more than 10 minutes, it returns the user to the home page, and tells them to login again.

Works great.... no problems at all.

Once the session has been set, as a user navigates to new pages via new servlets, their information is loaded into the new servlet from a call such as Patient.load(session) wherby it searches through the SQL tables and retreives the patient with that session.

The code below is how i am handling sessions:

public abstract class AbstractPage extends HttpServlet

{
protected String function = null;
protected Connection con = null;
protected HttpSession session = null;
protected boolean nosession = false;
public boolean handleSession(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException
{ session = request.getSession(true);
String function = request.getParameter("function"
if (session.isNew() && !function.equals("login&quot)
{
new HomePage().doRequest(request, response);
return false;
}

/**
* Checks the time that the session was last accessed against
* the current system time. If this is greater than 600,000
* millisecond (10 minutes), the session is deemed "expired"
* and user is returned to login again
**/
else
{ long current = System.currentTimeMillis();
long lastAccess = session.getLastAccessedTime();
long inactiveTime = current - lastAccess;
if (inactiveTime > 600000)
{ new HomePage().doRequest(request, response, "Your session has expired"
return false;
}
}
return true;
}


The problem i have now is that i want multiple users to access the system. Currently, if two people log on within a short space of time (from the same login servlet)they get the same session ID, so that updates to data are sometimes saved to the wrong patient on the database as they have the same session. Is there a better way to do this? Alternatively, can you "speed up" the renewel of sessions so that the system can keep up with multiple users. Have i even got the right end of the stick in handling sessions?!!!

Of course I have it that when users log out i call session.invalidate(), thus the next user gets a new session.

Many thanks in advance

 

[palbano]

HttpSession object has a built in timeout feature. You can get rid of all your time code and just check for an existing session and send them to "login" if there is not one then create a session if and only if they are successfully logged in (whew).

There's a run-on sentence if ever i saw one. LOL

To change the session timeout value call HttpSession.setMaxInactiveInterval( int)

-pete

 

[relisys]

Thanks for that! Does that help me though with people signing in at the same time? If i set it to be inactive after say 1 minute then every minute a new user could log on and get a new code.

But then the old session would be inactive - I want to have it so that a user has to relogin after say 10 minutes..... hang on I'm confusing myself!

Basically I think I need two things:

·Each user must have a unique session ID, no matter how short a time period has passed between them and the last person to log on.

·Each users session be checked at every action so that if it is over 10 mins since last action then user must log on

With what you suggested can the two be possible at the same time? If you make the session inactive so that the next user to log on gets a different session, how do you check that older sessions (which are now inactive) are still within an "active time" and allow their owners to use the system?

Sorry its 03:17! This might be hard to understand from my ramblings! lol

 

[palbano]

Sessions are user based, sort of. Each new browser instance is a new session. The built in session mechanism does everything you detail in your post:

·Each user must have a unique session ID, no matter how short a time period has passed between them and the last person to log on.

·Each users session be checked at every action so that if it is over 10 mins since last action then user must log on

All you have to do is change the "time period" if the default is not what you desire. Once you do that the sessions will time out automatically if a user does not issue a request for the "time period".

-pete

 

[idarke]

So whatever happened with this?

I know from my experience that if you have a session open (for instance, in IE) and use File->New->Window to open a new window, that child window retains the same session ID as the parent window. You have to start a whole new instance of IE to get a new Session ID.

I've never experienced two users getting the same Session ID simply because they logged in at the same time. Further, I'm fairly certain the Session ID is assigned when the connection is made, not when a software "login" is completed.

It seems like there's a string here that needs pulling...

"When you have eliminated the impossible, whatever remains, however
improbable, must be the truth." ~ Arthur Conan Doyle