Prevent multiple login using the same user name and password

Question

I am developing an application that needs to prevent multiple login using the same user name and password.

If it happens on the same machine then obviously we need to do something with the user session, but it should also prevent if they are login on different machines using the same user name and password.

We have to keep following things in mind:

1. If user close the browser without logout.
2. If session time out.

I would appreciate any help on this.

Answer 1

If user close the browser without logout.

Particularly this case is hard and not reliable to detect. You could use the beforeunload event in Javascript, but you're fully dependent on whether the browser has JS enabled and the particular browser supports this non-standard event (e.g. Opera doesn't). That's also one of the major reasons that I'd suggest to just logout the previously logged in user instead of preventing the login. That's also more user-friendly and secure for the case that the user "forgot" to logout from the other computer.

Easiest way is to let the User have a static Map<User, HttpSession> variable and let it implement HttpSessionBindingListener (and Object#equals() and Object#hashCode()).

public class User implements HttpSessionBindingListener {

    // All logins.
    private static Map<User, HttpSession> logins = new HashMap<User, HttpSession>();

    // Normal properties.
    private Long id;
    private String username;
    // Etc.. Of course with public getters+setters.

    @Override
    public boolean equals(Object other) {
        return (other instanceof User) && (id != null) ? id.equals(((User) other).id) : (other == this);
    }

    @Override
    public int hashCode() {
        return (id != null) ? (this.getClass().hashCode() + id.hashCode()) : super.hashCode();
    }

    @Override
    public void valueBound(HttpSessionBindingEvent event) {
        HttpSession session = logins.remove(this);
        if (session != null) {
            session.invalidate();
        }
        logins.put(this, event.getSession());
    }

    @Override
    public void valueUnbound(HttpSessionBindingEvent event) {
        logins.remove(this);
    }

}

When you login the User as follows:

User user = userDAO.find(username, password);
if (user != null) {
    request.getSession.setAttribute("user", user);
} else {
    // Show error.
}

then it will invoke the valueBound() which will remove any previously logged in user from the logins map and invalidate the session.

When you logout the User as follows:

request.getSession().removeAttribute("user");

or when the session is timed out, then the valueUnbound() will be invoked which removes the user from the logins map.

Answer 2

Create one table in your database — let's call it [online_users] — with three fields:

[online_users]
1. username
2. login_time
3. logout_time

Whenever a user logs in, insert the user's name and the login time into [online_users].

On all pages which require users to log in, place this condition: check [online_users] to see if the user's logout_time is blank or not.

Whenever a user presses a logout button, set the logout_time in [online_users] for that user's name.

If someone tries to log in with an active username and password, check for username and logout_time and display a message stating that the user is already logged in. And, most importantly, set logout_time to MULTIPLELOGIN for that user.

If that user is logged in on any other machine, then if he refreshes or navigates to another page the site will tell him that he has been logged out. Then, the user can be redirected to the homepage of the site.