Is there any reason why removeByUserId is private in CacheIdContainer?

[mhzajac]

Sometimes it would be convenient to remotely log a user out of an application (for example, revoked access to something, unauthorized entry). There is a removeByUserId method in CacheIdContainer that does exactly this, however it isn't exposed anywhere. The only way to use it is to extend CacheIdContainer to expose the method, or re-implement it elsewhere, which is undesirable, as it could later break if CacheIdContainer changes for any reason. Is there a reason this method isn't exposed anywhere?

(or IdContainer for that matter)

[gakuzzzz]

I agree that it is convenient to be enable multiple log-in.

If CacheIdContainer#removeByUserId is public, it can be overrided,
We can implement multiple log-in easily.
However, only its implementation it has a security risk that users can not invalidate other sessions.

So, when we provide multiple log-in, we should provide the way of invalidating session.
It contains showing session list to users,

Since CacheIdContainer is poor for this implementation, we create a new AsyncIdContainer that records remote ip adress, access time and so on into non-volatile datastore instead of cache.

[mhzajac]

I wasn't really interested in exposing CacheIdContainer#removeByUserId for the purpose of multiple logins. More so to allow an administrator (let's say) to forcibly destroy a user's session without deleting or modifying the account that's stored elsewhere. I could delete the cache key userId:###, but that's not as clean as having the IdContainer handle it.

[gakuzzzz]

Ok, I see. I misunderstood your motivation.

It needs a way of kicking other user session.
I consider this problem.