Can I expire all sessions of a user?

Question

Can I expire all sessions of a user?
I know that I can expire a session by using session.invalidate().

I am using Tomcat, servlet/JSP.

In a session I have a attribute userId.

On that basis we define that this session belongs to a particular user.

I have a need in which I have to invalidate all sessions containing a particular userId.

You can create a `HttpSessionListener` and add each created session to some `List` and put it in `context`. Then iterate through the `List` to get each `session` check for its attribute and `invalidate()` !!!! — AllTooSir, May 14 '13 at 07:33

score 6 · Answer 1 · answered May 14 '13 at 07:37

6

Use this code to manage your active sessions and get a session by its Id, then you can call this session and invalidate it once needed:

 public class SessionListener implements HttpSessionListener  
{  

     private static Map<String, HttpSession> map = new   
                                     HashMap<String, HttpSession>();  

    public void sessionCreated(HttpSessionEvent event)  
    {  
        String id = event.getSession().getId();  
        logger.debug("session created : " + id);  
        // STORE THE SESSOIN FOR EXAMPLE IN DATABASE 
        map.put(id, event.getSession());  
    }  

    public static HttpSession getHttpSession(String sessionID)  
    {  
        return sessionObjectMap.get(sessionID);  
    }  

    public void sessionDestroyed(HttpSessionEvent event)  
    {  
        // get the destroying session...               
    }  
}

answered May 14 '13 at 07:37

CloudyMarble

36,908
70
97
130

Good answer votedup. . .sessionDestroyed() is over loaded and called every time we destroy session. . can we overload it only when we want to destroy all sessions – Nirbhay Mishra May 14 '13 at 07:56
It's in the HttpSessionListener interface, you must implement it, at least the declaration. – CloudyMarble May 14 '13 at 07:59
2

The code is not thread-safe since HashMap is not a thread-safe class. Also, the "map" is never clearned so the sessions will stay in memory forever causing a memory-leak. – Konstantin Pavlov Jul 27 '15 at 18:22
reply to a similar question, http://stackoverflow.com/questions/35276554/spring-security-how-to-expire-all-sessions-of-a-user/35276555#35276555 – Ilan.K Feb 10 '16 at 09:17

score 1 · Answer 2 · edited May 15 '13 at 05:10

make a listner by implementing HttpSessionListener and add each created session to a data structure. . like Map or list

for Map use SessionId as Key and session object as value. . . .

Override both sessionCreated(HttpSessionEvent event) and sessionDestroyed(HttpSessionEvent event)

sessionCreated(HttpSessionEvent event) method is called when any session is created by container. . and we can do what ever we want to do with it at this creation time. . like add in list or map

sessionDestroyed(HttpSessionEvent event) is called when ever a session is destroyed or invalidated(either by code or timed out by server). . we can do what ever with it before destroy. . . like total logged time. . remove from list or map. . etc

score 0 · Answer 3 · answered May 14 '13 at 07:51

0

You can make all session value empty..

session.removeAttribute("userId");

answered May 14 '13 at 07:51

KhAn SaAb

5,248
5
31
52

Can I expire all sessions of a user?

3 Answers3