Important Notice - Forums is archived
To simplify things and help our users to be more productive, we have archived the current forum and focus our efforts on helping developers on Stack Overflow. You can post new questions on Stack Overflow or join our Discord channel.

Vaadin lets you build secure, UX-first PWAs entirely in Java.
Free ebook & tutorial.
invalidating only a certain session instance by session id
In my application using Shiro, I made it so there can't be two people logged in with the same username at the same time.
Because there may be a second person that has the account creator's username and password, and use it with or without permission,
and for that, I've given the account creator the possibility to reset his password and reclaim his account at any time, but, I also need to
log out the other user first for this to happen, else the account creator can't log in at all with his username until the other user logs out or his session is invalidated
Shiro doesn't have a clear way to log out another user programatically as far as I know, and I've asked about this in their forum w/o an answer yet. I'm working about achieving this but unsure of success
Now, I've thought of a way to achieve sort of a logout, if I can keep a hashmap of usernames and sessionid's, with which in this situation
I would invalidate that user's session, forcing him to relogin, which he can't because the main account owner changed password.
So my question is, although not directly related to Vaadin, how to invalidate only a certain session by session id?
Hi,
Basically, you can't : there is no way using the J2EE spec to invalidate a given session ID.
However, based on an idea from here you could use a request filter, catch all requests bound to that sessionid, and invalidate the session before it gets processed.
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) {
Set<String> sessionIdsToInvalidate = getSessionIdsToInvalidate();
HttpSession session = ((HttpServletRequest)request).getSession(false);
String currentSessionId = session == null ? null : session.getId();
if(sessionIdsToInvalidate.contains(currentSessionId)) {
session.invalidate();
sessionIdsToInvalidate.remove(currentSessionId);
}
chain.doFilter(request, response);
}
HTH,
Cheers,
Charles
Thank you. That goes hand in hand with these as well, with which you can optimize perhaps to not filter 100% of the time (enable/disable a filter):
How can I add a servlet filter programmatically?
http://stackoverflow.com/questions/7904577/how-can-i-add-a-servlet-filter-programmatically
How to add filters to servlet without modifying web.xml
http://stackoverflow.com/questions/7192834/how-to-add-filters-to-servlet-without-modifying-web-xml