Home/ Questions/Q 7443395
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-29T11:19:25+00:00

So for my webapp, if I remove a user that is currently logged in,

  • 0

So for my webapp, if I remove a user that is currently logged in, and I want to invalidate his/her session. So that as soon as he/she refresh the page or navigate, they are no longer log in. The way I have now is that if a User logged in successfully, I will store the user object in my SessionScoped bean, and store the HttpSession to the Application Map. Below is my code

This is my SessionScoped bean

@PostConstruct
public void init() {
    User user = UserDAO.findById(userId, password);
    Map<String, Object> appMap = FacesContext.getCurrentInstance().
             getExternalContext().getApplicationMap();
    HttpSession session = (HttpSession) FacesContext.getCurrentInstance().
             getExternalContext().getSession(false);
    appMap.put(userId, session);
}

Is this a correct approach? If so, how do I clean up my application map?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Is this a correct approach?

    There are basically 2 ways.

    1. Store the HttpSession handle in the application scope by the user ID as key so that you can get a handle of it and invalidate it. This may work for a small web application running on a single server, but may not work on a web application running on a cluster of servers, depending on its configuration.

      I would only store it in another map in the application scope, not directly in the application scope like as you did, so that you can easier get an overview of all users and that you can guarantee that an arbitrary user ID won’t clash with an existing application scoped managed bean name, for example.

    2. Add a new boolean/bit column to some DB table associated with the user which is checked on every HTTP request. If the admin sets it to true, then the session associated with the request will be invalidated and the value in the DB will be set back to false.

    how do I clean up my application map?

    You could use HttpSessionListener#sessionDestroyed() for this. E.g.

    public void sessionDestroyed(HttpSessionEvent event) {
    User user = (User) event.getSession().getAttribute("user");
    if (user != null) {
        Map<User, HttpSession> logins = (Map<User, HttpSession>) event.getSession().getServletContext().getAttribute("logins");
        logins.remove(user);
    }
}
    • 0