Trying to log users out if multiple sessions

Vaaadin 14.10.0.
I am a Swing developer with limited deep knowledge of web tech, including sessions.

Our standard system may have 1-5 users logged in.

Each user may be logged in to DESKTOP mode and PHONE mode simultaneously. These are just different screens in our app.

If they try to login to DESKTOP mode a second time I need to auto log them out of their first DESKTOP session.

I can’t identify how to find and cancel their logins.

I do store each login eg (1) username (2) sessionId and (3) mode.

I guess the easiest way is to get the VaadinSession and invalidate() or close() ?

How can I find all the VaadinSessions?

I have tried …
WrappedSession thisWs = VaadinSession.getCurrent().getSession();
WrappedHttpSession wrappedHttpSession = (WrappedHttpSession)thisWs;
HttpSession httpSession = wrappedHttpSession.getHttpSession();
Collection allSessions = VaadinSession.getAllSessions(httpSession);
for (VaadinSession vs : allSessions) {
if (this-is-an-earlier-login) {
vs.getSession().invalidate();
}
}

However, getAllSessions() only returns a single session, not the other sessions which are clearly present. I clearly don’t understand “sessions”.

Any Suggestions would be much appreciated.

It’s a security feature that the servlet API doesn’t provide this kind of feature to leak sessions by accident. Stack overflow has some helpful links to follow: https://stackoverflow.com/a/3771134

TLDR: you have to do it yourself with httpsession bookkeeping

Actually I would not implement this using such bookkeeping of http sessions. That has lot of caveats. Instead I would use application scope event bus and post login event there and logout upon receiving the event.

Yeah that would also work! Even tho you still have to handle the logout yourself kinda :sweat_smile:

Thx Tatu. Is this the “application scope event bus” … https://stackoverflow.com/questions/24995677/how-to-get-all-sessions-in-vaadin

I would probably use a broadcaster and push. When a user log in then push and logout the same user with a different session.

You will probably need to handle multiple tabs since you can’t really invalidate the same session multiple times