You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by vn...@cox.net on 2007/06/27 14:31:19 UTC
OT: Sessions
Hi:
We have an Enterprise application that uses sessions to keep track of User Information (name, role, dept). This information is used against the user when logging out, checking credentials and displaying user information. Since we are using Session Attributes to keep track of User Information - this gets mangled when we try to login to application from the same browser (in FireFox) and Ctrl-N from IE (in other words the person who gets logged in will overwrite the current user's attribute thus losing first user information). So, I am wondering whether you all have any recommendations/inputs to avoid this scenario. Thanks in advance. I did check the google and other search tools, but could not locate anything useful.
regards,
Vasu
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: OT: Sessions
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Vasu,
vnug@cox.net wrote:
> Since we are using Session Attributes to keep track of User
> Information - this gets mangled when we try to login to application
> from the same browser (in FireFox) and Ctrl-N from IE (in other words
> the person who gets logged in will overwrite the current user's
> attribute thus losing first user information).
Just to be sure I understand:
You have an application that uses sessions.
When the user logs-in in one window, then opens another window and
logs-in again, the first user's session appears to go away, and both
windows now point to the new login?
If that's what you are describing, then it is expected behavior if you
are using cookies for session management.
When cookies are used, the browser sends a cookie with each request. The
cookie chosen by the browser is based on the hostname and path being
used for the request (say, www.mysite.com/mypath).
When you login from the second window, your browser deletes the ole
JSESSIONID cookie and replaces it with the new one (from the new login).
Both windows will send the same cookie from then on, essentially
cutting-off the first user.
> So, I am wondering whether you all have any recommendations/inputs to
> avoid this scenario. Thanks in advance. I did check the google and
> other search tools, but could not locate anything useful.
One way to get around this is to turn off the use of cookies for session
tracking. Search the web or the archives of this list (or read the
Tomcat docs) to see how to do this. REMEMBER that if you aren't using
cookies, /every single URL to emit must be sent through
HttpServletRequest.encodeURL/, otherwise clicking on a (non-encoded)
link will appear to lose the session.
My last question would be: why do you need to have multiple windows with
separate logins?
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFGgmSX9CaO5/Lv0PARAlh+AKCTibYLgZR9+T6DjXDNrEwMAWawpACdHfLi
RNrnxDmhylsMfU/bbqWYCRo=
=mlah
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: OT: Sessions
Posted by 吴熊敏 <xw...@ublearning.com>.
the same browser (in FireFox) and Ctrl-N from IE??
That means that you are using the same session....
So you can't avoid overwriting the last session,i think.
You can open a new browser window to avoid overwriting session.
On Wed, 27 Jun 2007 5:31:19 -0700
<vn...@cox.net> wrote:
> Hi:
>
> We have an Enterprise application that uses sessions to keep track of User Information (name, role, dept). This information is used against the user when logging out, checking credentials and displaying user information. Since we are using Session Attributes to keep track of User Information - this gets mangled when we try to login to application from the same browser (in FireFox) and Ctrl-N from IE (in other words the person who gets logged in will overwrite the current user's attribute thus losing first user information). So, I am wondering whether you all have any recommendations/inputs to avoid this scenario. Thanks in advance. I did check the google and other search tools, but could not locate anything useful.
>
> regards,
> Vasu
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
----------------------------
吴熊敏 <xw...@ublearning.com>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: OT: Sessions
Posted by David Smith <dn...@cornell.edu>.
One possibility is to check for a pre-existing open login on login. If
one is detected, return an error something to the effect of "please log
off first". Offer a log-off button/link that invalidates the session
and returns the user to a welcome page. Maintaining both logins is
trickier and probably not in your best interest from a security perspective.
--David
vnug@cox.net wrote:
> Hi:
>
> We have an Enterprise application that uses sessions to keep track of User Information (name, role, dept). This information is used against the user when logging out, checking credentials and displaying user information. Since we are using Session Attributes to keep track of User Information - this gets mangled when we try to login to application from the same browser (in FireFox) and Ctrl-N from IE (in other words the person who gets logged in will overwrite the current user's attribute thus losing first user information). So, I am wondering whether you all have any recommendations/inputs to avoid this scenario. Thanks in advance. I did check the google and other search tools, but could not locate anything useful.
>
> regards,
> Vasu
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org