swing app, how to prevent multi-login

[John_Woo]

Hi,

A swing UI communicates with server via TCP/IP, socket, and the server
supports up to
1 million UI.

I'm wondering, what's the simple way to prevent same userID login twice
or more at the
same time? I know Kerberos is good, but too complicated (this app is
not using any j2ee package or 3rd package).

 

[Mark Space]

Hi,

A swing UI communicates with server via TCP/IP, socket, and the server

Hmm, I'm not sure what this has to do with Java or swing, but as for
TCP/IP.... nothing prevents it. I used to log with multiple terminals
all the time before they invented windows, it was the only way to get
stuff done quickly.

supports up to
1 million UI.

I'm wondering, what's the simple way to prevent same userID login twice
or more at the

Off hand, I think you'll have to identify the login procedure, have that
check for the user already logged in, and return an error/wedge/ignore
on a multiple log-in attempt. This will require good design to make
certain that all logins go through a single entry point.

same time? I know Kerberos is good, but too complicated (this app is
not using any j2ee package or 3rd package).

I don't think Kerberos will help you. You'll still need to centralize
your logins as above. Kerberos might help you prevent a session from
being high-jacked, or from people impersonating others to gain multiple
logins, but these are security issues. Really they don't have anything
to do with a single person giving a valid password, and logging in
multiple times. You still have to code that separately from anything else.

 

[Brandon McCombs]

Hmm, I'm not sure what this has to do with Java or swing, but as for
TCP/IP.... nothing prevents it. I used to log with multiple terminals
all the time before they invented windows, it was the only way to get
stuff done quickly.


Off hand, I think you'll have to identify the login procedure, have that
check for the user already logged in, and return an error/wedge/ignore
on a multiple log-in attempt. This will require good design to make
certain that all logins go through a single entry point.


I don't think Kerberos will help you. You'll still need to centralize
your logins as above. Kerberos might help you prevent a session from
being high-jacked, or from people impersonating others to gain multiple
logins, but these are security issues. Really they don't have anything
to do with a single person giving a valid password, and logging in
multiple times. You still have to code that separately from anything else.

To add to what Mark says, Kerberos doesn't help prevent multiple logins.
That isn't what it is intended to do. In fact, Windows Server 2003
doesn't have any built-in way of preventing multiple concurrent logins
from a single username and it uses Kerberos in a domain environment for
doing the authentication so that tells you right there kerberos isn't
the answer.

You will need to have a central repository for keeping track of who is
logged in and testing against that data repo everytime someone logs in
to see if they are already logged in. Again, in the case of Windows
there isn't anything that already exists that can do that and I've used
a new attribute within the Active Directory schema to keep track of it.
You will have to do something like that on the server you are working
with (some flag or something) in order to prevent multiple concurrent
logins.