Get started
Loading...
Important Notice - Forums is archived

To simplify things and help our users to be more productive, we have archived the current forum and focus our efforts on helping developers on Stack Overflow. You can post new questions on Stack Overflow or join our Discord channel.

Product icon
TUTORIAL

Vaadin lets you build secure, UX-first PWAs entirely in Java.
Free ebook & tutorial.

Where to include a web components css file when integrating a third party w by Martin Vyšný, 1 week ago
Recent Posts
Vaadin Forum4. Other

invalidating only a certain session instance by session id

Tudor Raneti
10 years ago Apr 02, 2012 9:49am

In my application using Shiro, I made it so there can't be two people logged in with the same username at the same time.

Because there may be a second person that has the account creator's username and password, and use it with or without permission,
and for that, I've given the account creator the possibility to reset his password and reclaim his account at any time, but, I also need to
log out the other user first for this to happen, else the account creator can't log in at all with his username until the other user logs out or his session is invalidated

Shiro doesn't have a clear way to log out another user programatically as far as I know, and I've asked about this in their forum w/o an answer yet. I'm working about achieving this but unsure of success

Now, I've thought of a way to achieve sort of a logout, if I can keep a hashmap of usernames and sessionid's, with which in this situation
I would invalidate that user's session, forcing him to relogin, which he can't because the main account owner changed password.

So my question is, although not directly related to Vaadin, how to invalidate only a certain session by session id?

Last updated on Apr, 2nd 2012
Charles Anthony
10 years ago Apr 02, 2012 11:19am

Hi,

Basically, you can't : there is no way using the J2EE spec to invalidate a given session ID.

However, based on an idea from here you could use a request filter, catch all requests bound to that sessionid, and invalidate the session before it gets processed.

public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) {
    Set<String> sessionIdsToInvalidate = getSessionIdsToInvalidate();
    HttpSession session = ((HttpServletRequest)request).getSession(false);
    String currentSessionId = session == null ? null : session.getId();
    if(sessionIdsToInvalidate.contains(currentSessionId)) {       
        session.invalidate();
        sessionIdsToInvalidate.remove(currentSessionId);
    }
    chain.doFilter(request, response);
}

HTH,

Cheers,

Charles

Last updated on Apr, 2nd 2012
Tudor Raneti
10 years ago Apr 02, 2012 2:48pm

Thank you. That goes hand in hand with these as well, with which you can optimize perhaps to not filter 100% of the time (enable/disable a filter):

How can I add a servlet filter programmatically?
http://stackoverflow.com/questions/7904577/how-can-i-add-a-servlet-filter-programmatically

How to add filters to servlet without modifying web.xml
http://stackoverflow.com/questions/7192834/how-to-add-filters-to-servlet-without-modifying-web-xml

Last updated on Apr, 2nd 2012