In my application using Shiro, I made it so there can’t be two people logged in with the same username at the same time.
Because there may be a second person that has the account creator’s username and password, and use it with or without permission,
and for that, I’ve given the account creator the possibility to reset his password and reclaim his account at any time, but, I also need to
log out the other user first for this to happen, else the account creator can’t log in at all with his username until the other user logs out or his session is invalidated
Shiro doesn’t have a clear way to log out another user programatically as far as I know, and I’ve asked about this in their forum w/o an answer yet. I’m working about achieving this but unsure of success
Now, I’ve thought of a way to achieve sort of a logout, if I can keep a hashmap of usernames and sessionid’s, with which in this situation
I would invalidate that user’s session, forcing him to relogin, which he can’t because the main account owner changed password.
So my question is, although not directly related to Vaadin, how to invalidate only a certain session by session id?
Basically, you can’t : there is no way using the J2EE spec to invalidate a given session ID.
However, based on an idea from
here you could use a request filter, catch all requests bound to that sessionid, and invalidate the session before it gets processed.