存储和使来自其他用户的Java HttpSession无效 [英] Store and invalidate Java HttpSession from different user

问题描述

好的.我想要做的是能够在更新用户时使他们当前具有的任何会话无效，以强制刷新凭据.我不在乎能够直接访问特定于会话的用户数据.理想情况下，我也可以通过类似的方式将用户限制为一个会话.

Okay. What I want to do is be able to, when I update a user, invalidate any session that they currently have in order to force a refresh of credentials. I don't care about being able to directly access the session-specific user data. Ideally, I would also be able to restrict users to one session by a similar manner.

我尝试做的是使用用户名作为键并使用HttpSession作为值来创建HashMap(我的实际设置涉及更多点，但是在反复出现似乎莫名其妙的失败之后，我将其简化为这个简单的测试).但是，每当我尝试告诉检索到的HttpSession无效时，它似乎都在使当前的[admin]会话无效. HttpSession是否与当前请求密不可分?

What I tried doing is creating a HashMap using the username as key and HttpSession as the value (my actual setup is a little more involved, but after repeated seemingly inexplicable failures, I boiled it down to this simple test). However, whenever I attempt to tell the retrieved HttpSession to invalidate, it seems to be invalidating the current [admin] session. Is HttpSession inextricably bound to the current request?

还是有一种完全不同的方式来处理此问题?

Or is there an entirely different way to deal with this?

如果碰巧，我正在使用Jetty 6.1.26.

If it happens to matter, I'm using Jetty 6.1.26.

推荐答案

没有直接的方法.我想到的最简单的方法是在数据库(或cahche)上保留一个标志，并检查每个请求的有效性.

There's no straight forward way. The easiest way I can think of is to keep a flag on the database (or a cahche) and check it's validity on each request.

或者您可以实现HTTP会话侦听器，并保留可访问和无效的用户会话的HashMap.

Or you can implement a HTTP Session listener and keep a HashMap of user sessions that can be accessed and invalidated.

我还没有尝试过这些方法，所以我不知道任何性能问题.但这对于大多数应用程序来说应该是可以接受的.

I haven't tried any of these out so I don't know of any performance issues. But it should be acceptable for most applications.

这篇关于存储和使来自其他用户的Java HttpSession无效的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！