How to access sessions in tomcat and terminate one of them

Question

Is this possible to programmatically terminate other user's HTTP session in Tomcat? My usecase is like this: There are some users on the website, and an administrator. When admin deletes particular user, I want him to be immediately logged out if he has an active session. Can users' sessions be accessed from an application code?

Answer 1

I've found a solution in answer for other question:

Tomcat: how to access (session) Manager from servlet

The trick is to use reflection to get a Manager from a HttpSession or ServletContext. The code that does the trick for me:

private Manager manager(HttpSession session) throws Exception {

    Field facadeSessionField = StandardSessionFacade.class.getDeclaredField("session");
    facadeSessionField.setAccessible(true);
    StandardSession stdSession = (StandardSession) facadeSessionField.get(session);

    return stdSession.getManager();
}

Answer 2

You need to maintain a concurrent map of userId->HttpSession. When a user logs in, put it in the map. When the session is destroyed, remove it from the map.

Now given a userId, you can retrieve the session from the map, and invalidate it.

Answer 3

Yes it is possible to list out of all the logged in or working users session in Tomcat and terminate form that to any one session
(if at installation time do you have select host-manager then it will be possible with user_name and password)

> Type URI as http://localhost:8080/ 
    (8080 is default connector port of your tomcat if you had changed it then write it) 
> Select Manage App Option
> Enter user_name and password which you had entered at installation time 
> After log-in successfully Click on session (0 or 1,2,3...etc) in Sessions column see in first column which display the name of your project 
> Click on `Refresh Session List` Button 
> Select session Id check-box 
> Click on `Invalidate Selected Session` Button
   after click on this Button that session will be invalidate