Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > Java > handling stale session

Reply
Thread Tools

handling stale session

 
 
a
Guest
Posts: n/a
 
      06-28-2011
Hi

My question is about handling the stale session caused by user exit
application without logout. I use a table to maintain session info and user,
e.g, session id, user oid.
If the user exits the application without logout properly or the web server
restart, there is a record left on the table.
I am planning to check the validity of the session id on the table when the
user next login.
Is it possible to check whether the session is still alive or not by telling
the session id?

Thanks

 
Reply With Quote
 
 
 
 
Silvio
Guest
Posts: n/a
 
      06-28-2011
Approach this from the other end. Add a listener to the session to hook
into the session timeout and cleanup the session.

Silvio


On 06/28/2011 12:44 PM, a wrote:
> Hi
>
> My question is about handling the stale session caused by user exit
> application without logout. I use a table to maintain session info and
> user, e.g, session id, user oid.
> If the user exits the application without logout properly or the web
> server restart, there is a record left on the table.
> I am planning to check the validity of the session id on the table when
> the user next login.
> Is it possible to check whether the session is still alive or not by
> telling the session id?
>
> Thanks


 
Reply With Quote
 
 
 
 
a
Guest
Posts: n/a
 
      06-29-2011
Thanks for your reply.
I need to check the validity of the session proactively because I only allow
one session per IP.
When there is another login request with a duplicated ip, I have to
determine the validity of the existing session.


"Silvio" <(E-Mail Removed)> 秎ン
news:4e0a4776$0$4352$(E-Mail Removed)4all.nl い级糶...
> Approach this from the other end. Add a listener to the session to hook
> into the session timeout and cleanup the session.
>
> Silvio
>
>
> On 06/28/2011 12:44 PM, a wrote:
>> Hi
>>
>> My question is about handling the stale session caused by user exit
>> application without logout. I use a table to maintain session info and
>> user, e.g, session id, user oid.
>> If the user exits the application without logout properly or the web
>> server restart, there is a record left on the table.
>> I am planning to check the validity of the session id on the table when
>> the user next login.
>> Is it possible to check whether the session is still alive or not by
>> telling the session id?
>>
>> Thanks

>
>


 
Reply With Quote
 
Silvio
Guest
Posts: n/a
 
      06-29-2011
If you properly cleanup stale sessions (clear the session flag in the
database in your case) on both timeout and logout then this problem is
solved. At login time you simply demand that the session flag in the
database for that IP is cleared.

The only problem that remains is that if someone closes his browser
without logging out properly and then tries to login again shortly after
then he will be refused until his previous session finally times out.
This is a general problem with web applications.
There are several workarounds for this problem. One would be to allow
subsequent logins and simply overwrite the session id in the database
for that IP. In the application you then consciously re-check if the
current session id is equal to the one in the database. If not then the
session has been rendered invalid by a subsequent login and you issue a
message and log the session out.

On 06/29/2011 10:01 AM, a wrote:
> Thanks for your reply.
> I need to check the validity of the session proactively because I only
> allow one session per IP.
> When there is another login request with a duplicated ip, I have to
> determine the validity of the existing session.
>
>
> "Silvio" <(E-Mail Removed)> 秎ン
> news:4e0a4776$0$4352$(E-Mail Removed)4all.nl い级糶...
>> Approach this from the other end. Add a listener to the session to hook
>> into the session timeout and cleanup the session.
>>
>> Silvio
>>
>>
>> On 06/28/2011 12:44 PM, a wrote:
>>> Hi
>>>
>>> My question is about handling the stale session caused by user exit
>>> application without logout. I use a table to maintain session info and
>>> user, e.g, session id, user oid.
>>> If the user exits the application without logout properly or the web
>>> server restart, there is a record left on the table.
>>> I am planning to check the validity of the session id on the table when
>>> the user next login.
>>> Is it possible to check whether the session is still alive or not by
>>> telling the session id?
>>>
>>> Thanks

>>
>>

>


 
Reply With Quote
 
a
Guest
Posts: n/a
 
      06-29-2011
Thank you very much for your reply.
You have pointed out the problem of my plan.
The reason, that one machine with multiple sessions not allowed, is to avoid
attack.
Therefore, overwriting the existing session id by the sebsequent one is not
an option because someone may able to keep overriding the existing session.
No matter whatever reason, the number of sessions should be limited.
This is the reason I need a solution for proactive session validity check.



"Silvio" <(E-Mail Removed)> 秎ン
news:4e0af10f$0$4366$(E-Mail Removed)4all.nl い级糶...
> If you properly cleanup stale sessions (clear the session flag in the
> database in your case) on both timeout and logout then this problem is
> solved. At login time you simply demand that the session flag in the
> database for that IP is cleared.
>
> The only problem that remains is that if someone closes his browser
> without logging out properly and then tries to login again shortly after
> then he will be refused until his previous session finally times out.
> This is a general problem with web applications.
> There are several workarounds for this problem. One would be to allow
> subsequent logins and simply overwrite the session id in the database
> for that IP. In the application you then consciously re-check if the
> current session id is equal to the one in the database. If not then the
> session has been rendered invalid by a subsequent login and you issue a
> message and log the session out.
>
> On 06/29/2011 10:01 AM, a wrote:
>> Thanks for your reply.
>> I need to check the validity of the session proactively because I only
>> allow one session per IP.
>> When there is another login request with a duplicated ip, I have to
>> determine the validity of the existing session.
>>
>>
>> "Silvio" <(E-Mail Removed)> 秎ン
>> news:4e0a4776$0$4352$(E-Mail Removed)4all.nl い级糶...
>>> Approach this from the other end. Add a listener to the session to hook
>>> into the session timeout and cleanup the session.
>>>
>>> Silvio
>>>
>>>
>>> On 06/28/2011 12:44 PM, a wrote:
>>>> Hi
>>>>
>>>> My question is about handling the stale session caused by user exit
>>>> application without logout. I use a table to maintain session info and
>>>> user, e.g, session id, user oid.
>>>> If the user exits the application without logout properly or the web
>>>> server restart, there is a record left on the table.
>>>> I am planning to check the validity of the session id on the table when
>>>> the user next login.
>>>> Is it possible to check whether the session is still alive or not by
>>>> telling the session id?
>>>>
>>>> Thanks
>>>
>>>

>>

>
>


 
Reply With Quote
 
Silvio
Guest
Posts: n/a
 
      06-29-2011
I am afraid you still don't get it. Doing it the way I proposed will
allow you to limit the number of session per IP to 1. The workaround I
described would only be appropriate if the restriction would be less
harsh. What you want is the simplest scenario (and has the drawback that
people may lock themselves out for some time (by not logging out properly).

There is no way to distinguish a session that is no longer reachable by
its user from an active session. A session is either active or it has
been invalidated, either by timeout or by explicit logout by the
application.

Silvio


On 06/29/2011 08:35 PM, a wrote:
> Thank you very much for your reply.
> You have pointed out the problem of my plan.
> The reason, that one machine with multiple sessions not allowed, is to
> avoid attack.
> Therefore, overwriting the existing session id by the sebsequent one is
> not an option because someone may able to keep overriding the existing
> session.
> No matter whatever reason, the number of sessions should be limited.
> This is the reason I need a solution for proactive session validity check.
>
>
>
> "Silvio" <(E-Mail Removed)> 秎ン
> news:4e0af10f$0$4366$(E-Mail Removed)4all.nl い级糶...
>> If you properly cleanup stale sessions (clear the session flag in the
>> database in your case) on both timeout and logout then this problem is
>> solved. At login time you simply demand that the session flag in the
>> database for that IP is cleared.
>>
>> The only problem that remains is that if someone closes his browser
>> without logging out properly and then tries to login again shortly after
>> then he will be refused until his previous session finally times out.
>> This is a general problem with web applications.
>> There are several workarounds for this problem. One would be to allow
>> subsequent logins and simply overwrite the session id in the database
>> for that IP. In the application you then consciously re-check if the
>> current session id is equal to the one in the database. If not then the
>> session has been rendered invalid by a subsequent login and you issue a
>> message and log the session out.
>>
>> On 06/29/2011 10:01 AM, a wrote:
>>> Thanks for your reply.
>>> I need to check the validity of the session proactively because I only
>>> allow one session per IP.
>>> When there is another login request with a duplicated ip, I have to
>>> determine the validity of the existing session.
>>>
>>>
>>> "Silvio" <(E-Mail Removed)> 秎ン
>>> news:4e0a4776$0$4352$(E-Mail Removed)4all.nl い级糶...
>>>> Approach this from the other end. Add a listener to the session to hook
>>>> into the session timeout and cleanup the session.
>>>>
>>>> Silvio
>>>>
>>>>
>>>> On 06/28/2011 12:44 PM, a wrote:
>>>>> Hi
>>>>>
>>>>> My question is about handling the stale session caused by user exit
>>>>> application without logout. I use a table to maintain session info and
>>>>> user, e.g, session id, user oid.
>>>>> If the user exits the application without logout properly or the web
>>>>> server restart, there is a record left on the table.
>>>>> I am planning to check the validity of the session id on the table
>>>>> when
>>>>> the user next login.
>>>>> Is it possible to check whether the session is still alive or not by
>>>>> telling the session id?
>>>>>
>>>>> Thanks
>>>>
>>>>
>>>

>>
>>

>


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
TCP session on site-to-site gets stale professorguy Cisco 3 01-11-2007 01:17 PM
stale link error plz help lgraji20@gmail.com Java 0 06-07-2006 05:28 AM
Wireless Connection goes stale? eric.goforth@gmail.com Wireless Networking 1 10-27-2005 04:02 PM
Stale Forms John Rivers ASP .Net 1 09-07-2005 03:45 PM
Cache::Cache Stale Segments Jeff Nokes Perl 0 09-30-2003 04:34 PM



Advertisments