How to achieve one user one session at a time

cancel
Showing results for 
Search instead for 
Did you mean: 
hardik_thakkar
Active Member II

How to achieve one user one session at a time

If i want to restrict one user one session, how can i achieve that?

Let say, if any user is logged on one browser and if he/she logging using other browser then first session should be closed/invalidated.

If possible, what are the configuration changes/customization are required?

1 Reply
abhinavmishra14
Advanced

Re: How to achieve one user one session at a time

I am not sure if there is a way to achieve this use case but, ACS returns same ticket for each user when you login using same user from different clients. When you logout from one client/browser the ticket gets removed from "ticketCache" and when you refresh the browser on other logged in instance, TicketComponent implememtation in alfresco checks whether the existing ticket in this instance is still valid or not. Since the ticket was removed for the same user by logging out from other broswer, it will generate a new ticket, put it in the ticketCache and returns it. But on alredy logged in browser you would not notice that ticket was regenerated. You can test this by calling the login api manually. Look at these classes for more details:

org.alfresco.repo.security.authentication.TicketComponent
org.alfresco.repo.security.authentication.InMemoryTicketComponentImpl

You can set the log setting to : log4j.logger.org.alfresco.repo.security.authentication.InMemoryTicketComponentImpl=TRACE 

And tail the log to see what happens when you login and logout for same user using different browsers. 

Alfresco APIs doesn't care what session ids are generated in different browsers. All it cares is about the ticket. If ticket is invalidated because you logged out from browser, any api call with old ticket for same user would not be allowed and you would have to get the new ticket by calling login api. So basically, a user is still not authorised to use the ticket if it logged out from other place.

HttpSessions are specific to each app which are deployed in tomcat container and each app would have its own way of handling it. Like Alfresco app would have different way of handling it and share would have different way.

The HTTPSession (as you are referring to session Id here) would be handled somewhere in a Share controler level (Spring Web MVC) implementation.

Look at this classes as to how the http sessions are handled:

https://github.com/Alfresco/share/blob/master/share/src/main/java/org/alfresco/web/site/servlet/Slin... 

https://github.com/Alfresco/share/blob/master/share/src/main/java/org/alfresco/web/site/servlet/Slin...

I am not sure if its even a good idea to touch these classes. I might have understood this question differently. Anyone else may have better answers.

~Abhinav
(ACSCE, AWS SAA, Azure Admin)