Home/ Questions/Q 8724857
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-13T07:54:53+00:00

I have a JSF login page using form authentication. I login users by calling

  • 0

I have a JSF login page using form authentication. I login users by calling HttpServletRequest.login(username, password). Logging out is done by first calling ExternalContext.invalidateSession() and then calling HttpServletRequest.logout() for the current user.

My plan is to keep track of the logged in user in an application scoped list by adding to the list anytime a user logs in and removing from the list when a user logs out.

I have two concerns with this approach:

  1. If a user that was already logged in tries to log in again without first logging out, I want to invalidate the existing session and do some cleanup. How do I access the session for a given logged in user? I could also use this functionality to forcefully logout some users.

  2. If a session expires (e.g. timeout) I want to remove the user from the list of logged in users. How do I listen for a session expiration?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    1. Maintain a Map<User, HttpSession> logins in application scope yourself. During login, check if logins.put(user, session) doesn’t return null and then invalidate it.

    2. Let the User implement HttpSessionBindingListener and implement valueUnbound() accordingly so that it does a logins.remove(this). Or, if you don’t have control over User, then implement HttpSessionListener#sessionDestroyed() instead to perform the remove.

    Unrelated to the concrete problem, calling HttpServletRequest#logout() is unnecessary if you already invalidate the session. The user is tied to the session anyway.

    • 0