invalidating only a certain session instance by session id

In my application using Shiro, I made it so there can’t be two people logged in with the same username at the same time.

Because there may be a second person that has the account creator’s username and password, and use it with or without permission,
and for that, I’ve given the account creator the possibility to reset his password and reclaim his account at any time, but, I also need to
log out the other user first for this to happen, else the account creator can’t log in at all with his username until the other user logs out or his session is invalidated

Shiro doesn’t have a clear way to log out another user programatically as far as I know, and I’ve asked about this in their forum w/o an answer yet. I’m working about achieving this but unsure of success

Now, I’ve thought of a way to achieve sort of a logout, if I can keep a hashmap of usernames and sessionid’s, with which in this situation
I would invalidate that user’s session, forcing him to relogin, which he can’t because the main account owner changed password.

So my question is, although not directly related to Vaadin, how to invalidate only a certain session by session id?


Basically, you can’t : there is no way using the J2EE spec to invalidate a given session ID.

However, based on an idea from
you could use a request filter, catch all requests bound to that sessionid, and invalidate the session before it gets processed.

public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) {
    Set<String> sessionIdsToInvalidate = getSessionIdsToInvalidate();
    HttpSession session = ((HttpServletRequest)request).getSession(false);
    String currentSessionId = session == null ? null : session.getId();
    if(sessionIdsToInvalidate.contains(currentSessionId)) {       
    chain.doFilter(request, response);




Thank you. That goes hand in hand with these as well, with which you can optimize perhaps to not filter 100% of the time (enable/disable a filter):

How can I add a servlet filter programmatically?

How to add filters to servlet without modifying web.xml