Apache Wicket - wicket-auth-sessions - Prevent multiple signins

I'm using wicket-auth-roles, and in particular 'AuthenticatedWebApplication' to secure pages in my wicket application. I wo开发者_运维百科uld like to disallow users from signing in from multiple locations with the same login. Currently users seem able to log into the same user from two different machines.

I'm sure it's as easy as invalidating the first user's session, but I don't know how to get at that from my AuthenticatedWebApplication when a second user comes along. Any guidance appreciated.

Thanks Matt

By implementing HttpSessionListener (example) you can monitor when sessions are created and destroyed.

I recommend having a user_id field in the session and adding sessions to a map when created.

You compare new sessions with those in this map, and make sure that the user id's are not the same.

If they are the same, the user is already logged in, so invalidate the new session, disallowing log in.

If I were going to do this I would try something like

class MyApplication ...
{
    @Override
    protected void init()
    {
        getRequestCycleListeners().add(new SessionGuard());
    }
}

class SessionGuard extends AbstractRequestCycleListener
{
    @Override
    public void onBeginRequest(final RequestCycle cycle)
    {
        final MySession session = MySession.class.cast(Session.get());

        if(session.isSignedIn())
        {
            final String validSessionId = session.getUser().getLastAuthenticatedSessionId();

            if(!session.getId().equals(validSessionId))
            {
                session.invalidate();
            }
        }
    }
}