Java Remote kill user session

How I can kill a user sessionId from a web administration panel? I mean, I have multiple users entering a website with jboss 4.2 and struts 1.3 and I want to close a session of some of these users remotely from same website. What is the best strategy?

One possible solution is to associate the JSESSIONID to the user in the database and set the JSESSIONID. Then for each transaction to ask if I remove user session.

I try to handle it by using context.xml in jboss side with FileStore session, but if I delete the session file (eg 2B6609A6CA38E35EEDF21BF3F3253BC8.session) the session is still active.

<Manager className="org.apache.catalina.session.PersistentManager" saveOnRestart="false">
    <Store  className="org.apache.catalina.session.FileStore" directory="\tmp\">  
    </Store>
 </Manager&g开发者_运维知识库t;

Any suggestions? thanks

One of the ways is to just collect those sessions yourself with help of a HttpSessionListener:

public class SessionManager implements HttpSessionListener {

    private static Map<String, HttpSession> sessions = new ConcurrentHashMap<String, HttpSession>();        

    @Override
    public void sessionCreated(HttpSessionEvent event) {
        sessions.put(event.getSession().getId(), event.getSession());
    }

    @Override
    public void sessionDestroyed(HttpSessionEvent event) {
        sessions.remove(event.getSession().getId());
    }

    public static boolean invalidate(String sessionId) {
        HttpSession session = sessions.get(sessionId);

        if (session != null) {
            session.invalidate();
            return true;
        } else {
            return false;
        }
    }

}

It allows you for doing something like this in your webadmin panel's code:

SessionManager.invalidate(someSessionId);

Perhaps you're already using a HttpSessionListener to sync the sessions with the database. That would be totally superfluous this way then.

There should be a JMX interface for that.