Help

How to achieve one user one session at a time

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
hardik_thakkar
Active Member II
‎2 Jan 2020 11:29 AM

How to achieve one user one session at a time

If i want to restrict one user one session, how can i achieve that?

Let say, if any user is logged on one browser and if he/she logging using other browser then first session should be closed/invalidated.

If possible, what are the configuration changes/customization are required?

0 Kudos
1 Reply
abhinavmishra14
Advanced
‎2 Jan 2020 7:31 PM

Re: How to achieve one user one session at a time

I am not sure if there is a way to achieve this use case but, ACS returns same ticket for each user when you login using same user from different clients. When you logout from one client/browser the ticket gets removed from "ticketCache" and when you refresh the browser on other logged in instance, TicketComponent implememtation in alfresco checks whether the existing ticket in this instance is still valid or not. Since the ticket was removed for the same user by logging out from other broswer, it will generate a new ticket, put it in the ticketCache and returns it. But on alredy logged in browser you would not notice that ticket was regenerated. You can test this by calling the login api manually. Look at these classes for more details:

org.alfresco.repo.security.authentication.TicketComponent
org.alfresco.repo.security.authentication.InMemoryTicketComponentImpl

You can set the log setting to : log4j.logger.org.alfresco.repo.security.authentication.InMemoryTicketComponentImpl=TRACE 

And tail the log to see what happens when you login and logout for same user using different browsers. 

Alfresco APIs doesn't care what session ids are generated in different browsers. All it cares is about the ticket. If ticket is invalidated because you logged out from browser, any api call with old ticket for same user would not be allowed and you would have to get the new ticket by calling login api. So basically, a user is still not authorised to use the ticket if it logged out from other place.

HttpSessions are specific to each app which are deployed in tomcat container and each app would have its own way of handling it. Like Alfresco app would have different way of handling it and share would have different way.

The HTTPSession (as you are referring to session Id here) would be handled somewhere in a Share controler level (Spring Web MVC) implementation.

Look at this classes as to how the http sessions are handled:

https://github.com/Alfresco/share/blob/master/share/src/main/java/org/alfresco/web/site/servlet/Slin... 

https://github.com/Alfresco/share/blob/master/share/src/main/java/org/alfresco/web/site/servlet/Slin...

I am not sure if its even a good idea to touch these classes. I might have understood this question differently. Anyone else may have better answers.

~Abhinav
(ACSCE, AWS SAA, Azure Admin)
0 Kudos
Alfresco Content Services Forum

Ask for and offer help to other Alfresco Content Services Users and members of the Alfresco team.

Related links:

We use cookies on this site to enhance your user experience

By using this site, you are agreeing to allow us to collect and use cookies as outlined in Alfresco’s Cookie Statement and Terms of Use (and you have a legitimate interest in Alfresco and our products, authorizing us to contact you in such methods).   If you are not ok with these terms, please do not use this website.