handling stale session

[a]

Hi

My question is about handling the stale session caused by user exit
application without logout. I use a table to maintain session info and user,
e.g, session id, user oid.
If the user exits the application without logout properly or the web server
restart, there is a record left on the table.
I am planning to check the validity of the session id on the table when the
user next login.
Is it possible to check whether the session is still alive or not by telling
the session id?

Thanks

 

[Silvio]

Approach this from the other end. Add a listener to the session to hook
into the session timeout and cleanup the session.

Silvio

 

[a]

Thanks for your reply.
I need to check the validity of the session proactively because I only allow
one session per IP.
When there is another login request with a duplicated ip, I have to
determine the validity of the existing session.

 

[Silvio]

If you properly cleanup stale sessions (clear the session flag in the
database in your case) on both timeout and logout then this problem is
solved. At login time you simply demand that the session flag in the
database for that IP is cleared.

The only problem that remains is that if someone closes his browser
without logging out properly and then tries to login again shortly after
then he will be refused until his previous session finally times out.
This is a general problem with web applications.
There are several workarounds for this problem. One would be to allow
subsequent logins and simply overwrite the session id in the database
for that IP. In the application you then consciously re-check if the
current session id is equal to the one in the database. If not then the
session has been rendered invalid by a subsequent login and you issue a
message and log the session out.

 

[a]

Thank you very much for your reply.
You have pointed out the problem of my plan.
The reason, that one machine with multiple sessions not allowed, is to avoid
attack.
Therefore, overwriting the existing session id by the sebsequent one is not
an option because someone may able to keep overriding the existing session.
No matter whatever reason, the number of sessions should be limited.
This is the reason I need a solution for proactive session validity check.

 

[Silvio]

I am afraid you still don't get it. Doing it the way I proposed will
allow you to limit the number of session per IP to 1. The workaround I
described would only be appropriate if the restriction would be less
harsh. What you want is the simplest scenario (and has the drawback that
people may lock themselves out for some time (by not logging out properly).

There is no way to distinguish a session that is no longer reachable by
its user from an active session. A session is either active or it has
been invalidated, either by timeout or by explicit logout by the
application.

Silvio