You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tapestry.apache.org by Scott Russell <sc...@hotmail.com.au> on 2005/05/09 08:18:29 UTC

Session corruption between 2 browser instances

Hi all,

I have been encountering some wierd session corruptions occurring when two 
different instances of the same browser (eg. Firefox, Konqueror, IE) connect 
to the same tapestry app.

When I open the browser, I go to the home page - a login page - and log in. 
Logging in stores data into the Visit object (so I assume a HttpSession has 
been created here). When I mouse-over PageLinks, the url that displays in the 
browser status bar has url rewriting (ie. 
http://x.x.x/x/app;jsessionid=XXXXXXX?etc/etc).

But then, as soon as I click on a link in the app, the browser switches to 
using a cookie to store the session id. As a result, all mouse-over links now 
display without the jsessionid url rewriting. All subsequent links, even in 
new browsers opened up, lack the url rewriting (so must be using cookies). 
This behaviour only changes if I close all browser windows and open a new 
one, at which point it initially starts out using the url rewriting.

The problem here is that if I open a second browser instance and log in as 
someone else, I expect to get a separate HttpSession. And at first I do. But 
as soon as this second instance starts using cookies, it writes over the 
other open browser's cookie (because the cookie is keyed on JSESSIONID). So 
if I then return to the original browser window and click a link, I am 
suddenly presented with information from the second browser's session. Worse, 
if I log out of the second browser, the first browser also is logged out.

Is this normal behaviour, and if so, is there any way to turn it off? Can I 
prevent the setting of the cookie from within Tapestry? Any help or advice 
would be appreciated.

regards,
Scott Russell



---------------------------------------------------------------------
To unsubscribe, e-mail: tapestry-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tapestry-user-help@jakarta.apache.org

Re: Session corruption between 2 browser instances

Posted by David Ezzio <de...@ysoft.com>.

Hi Scott,

Most browsers with two instances of the same browser on the same machine 
running at the same time with the same profile use a shared cookie 
cache.  There is no a-priori reason why this must be so.  Usually, the 
behavior is encountered when a developer wants to test the multi-user 
capabilities of his Web application (and more rarely when users want to 
use a Web application in two different ways, perhaps to cross-reference 
one page to another.)  Depending on your application, things will get 
confused in these circumstances.  Other than these two use cases, the 
situation rarely arises.

IE is a little different than the Mozilla family of browsers (which 
definitely share a cookie cache), since opening up a new IE session with 
Ctr-N yields a different result from opening up a new IE session by 
starting the program a second time.

You can test all of this by writing a JSP page echos back session info.
You can echo the session id, its creation time, how long ago it was last 
accessed, etc.  See the HttpSession JavaDoc.

David Ezzio

Scott Russell wrote:
> Hi all,
> 
> I have been encountering some wierd session corruptions occurring when two 
> different instances of the same browser (eg. Firefox, Konqueror, IE) connect 
> to the same tapestry app.
> 
> When I open the browser, I go to the home page - a login page - and log in. 
> Logging in stores data into the Visit object (so I assume a HttpSession has 
> been created here). When I mouse-over PageLinks, the url that displays in the 
> browser status bar has url rewriting (ie. 
> http://x.x.x/x/app;jsessionid=XXXXXXX?etc/etc).
> 
> But then, as soon as I click on a link in the app, the browser switches to 
> using a cookie to store the session id. As a result, all mouse-over links now 
> display without the jsessionid url rewriting. All subsequent links, even in 
> new browsers opened up, lack the url rewriting (so must be using cookies). 
> This behaviour only changes if I close all browser windows and open a new 
> one, at which point it initially starts out using the url rewriting.
> 
> The problem here is that if I open a second browser instance and log in as 
> someone else, I expect to get a separate HttpSession. And at first I do. But 
> as soon as this second instance starts using cookies, it writes over the 
> other open browser's cookie (because the cookie is keyed on JSESSIONID). So 
> if I then return to the original browser window and click a link, I am 
> suddenly presented with information from the second browser's session. Worse, 
> if I log out of the second browser, the first browser also is logged out.
> 
> Is this normal behaviour, and if so, is there any way to turn it off? Can I 
> prevent the setting of the cookie from within Tapestry? Any help or advice 
> would be appreciated.
> 
> regards,
> Scott Russell
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tapestry-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tapestry-user-help@jakarta.apache.org
> 
> 
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: tapestry-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tapestry-user-help@jakarta.apache.org

RE: Session corruption between 2 browser instances

Posted by Patrick Casey <pa...@adelphia.net>.

Scott,

	I suspect what you're seeing is this:

	Browser A sets session cookie -> writes cookie "foo" with Session
key "bar"

	Browser B starts up and looks for a session cookie. Low and behold,
session cookie "foo" is still in the file system and hasn't expired. Hence
your session key is "bar" even though this second browser hasn't ever logged
in.

	You'll only see this with two instances of the same browser, because
if you have, say IE and Firefox up concurrently they have different physical
cookie files so they won't get scrambled.

	As for how to fix it, the only advice I could offer would be to turn
off cookies and just use url rewriting...

	--- Pat
> -----Original Message-----
> From: Scott Russell [mailto:scottami72@hotmail.com.au]
> Sent: Sunday, May 08, 2005 11:18 PM
> To: tapestry-user@jakarta.apache.org
> Subject: Session corruption between 2 browser instances
> 
> Hi all,
> 
> I have been encountering some wierd session corruptions occurring when two
> different instances of the same browser (eg. Firefox, Konqueror, IE)
> connect
> to the same tapestry app.
> 
> When I open the browser, I go to the home page - a login page - and log
> in.
> Logging in stores data into the Visit object (so I assume a HttpSession
> has
> been created here). When I mouse-over PageLinks, the url that displays in
> the
> browser status bar has url rewriting (ie.
> http://x.x.x/x/app;jsessionid=XXXXXXX?etc/etc).
> 
> But then, as soon as I click on a link in the app, the browser switches to
> using a cookie to store the session id. As a result, all mouse-over links
> now
> display without the jsessionid url rewriting. All subsequent links, even
> in
> new browsers opened up, lack the url rewriting (so must be using cookies).
> This behaviour only changes if I close all browser windows and open a new
> one, at which point it initially starts out using the url rewriting.
> 
> The problem here is that if I open a second browser instance and log in as
> someone else, I expect to get a separate HttpSession. And at first I do.
> But
> as soon as this second instance starts using cookies, it writes over the
> other open browser's cookie (because the cookie is keyed on JSESSIONID).
> So
> if I then return to the original browser window and click a link, I am
> suddenly presented with information from the second browser's session.
> Worse,
> if I log out of the second browser, the first browser also is logged out.
> 
> Is this normal behaviour, and if so, is there any way to turn it off? Can
> I
> prevent the setting of the cookie from within Tapestry? Any help or advice
> would be appreciated.
> 
> regards,
> Scott Russell
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tapestry-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tapestry-user-help@jakarta.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: tapestry-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tapestry-user-help@jakarta.apache.org