• Post Reply Bookmark Topic Watch Topic
  • New Topic

Session Problem

 
Srinivasa Raghavan
Ranch Hand
Posts: 1228
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi all,
After i login in my JSP application, in the home page i'm displaying the test "Hello <user Name> !!" this <user name> is from the session.
Then if i open a new browser & login in with different id , the session variables of the previous window gets overwrittern & with the current values.
i.e Home page in both browsers show the same user name "Hello <Second user name>" here <second user name> is the user id with which i login in the second browser.
How to solve this using a session Id ?
 
Stephen Huey
Ranch Hand
Posts: 618
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You need to show the code where you're storing the username in the session...
 
Srinivasa Raghavan
Ranch Hand
Posts: 1228
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Stephen Huey:
You need to show the code where you're storing the username in the session...


The code goes like this ..


This is done in the Servlet.
 
Ben Souther
Sheriff
Posts: 13411
Firefox Browser Redhat VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
This is expected browser behavior.

If you're using MSIE and you start a new instance by either typing ctl+n or by using the "file->new" menu option, the new instance will share the same cookie space with the first copy. If, however, you start a new instance by clicking "Start->Programs->MSIE or by clicking on the shortcut on your desktop, the new instance will have it's own session cookie and you won't see this behavior.

With Mozilla/Firefox, tabs within the same instance all share the same session cookie. I think on Windows a new instance of the browser will have it's own session but I'm not sure. On Linux, I have to start it with a different profile or under a different user to get a separate session.

This, like the "Back" button is one of the irritations that come with trying to build applications on a platform designed for displaying linked text.
 
Srinivasa Raghavan
Ranch Hand
Posts: 1228
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks Ben Souther,

So whats the solution for this ?
This is a security flaw am i right ?
How to handle this ?
 
Ben Souther
Sheriff
Posts: 13411
Firefox Browser Redhat VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
If there is a programmatic solution, I've yet to see it.
This is the way browsers work. The only solution that I know of is with documentation. Let the user know not to open multiple browsers for different transactions at the same time.
 
Srinivasa Raghavan
Ranch Hand
Posts: 1228
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Ben Souther:
The only solution that I know of is with documentation. Let the user know not to open multiple browsers for different transactions at the same time.


Hi Ben,
Again a big thanks for the reply.

Instead of depending on a end user who is going to use the application ,
Will this be a good solution ?

When any user tries to open a new window through "File --> New " and access the login page of the application , let me check for the session variables if it exists i'll redirect them to the home page or the other way is to invalidate the session when this situation is met.
[ January 01, 2005: Message edited by: srini vasan ]
 
Ben Souther
Sheriff
Posts: 13411
Firefox Browser Redhat VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Both instances are pointing to the same session cookie. Invalidating one will invalidate the other.
Also, I'm not sure if the new instance (with MSIE) even makes a call to the server to get it's content or if it get's it from the cache. It wouldn't be hard to test for this, obviously.
 
Srinivasa Raghavan
Ranch Hand
Posts: 1228
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Ben Souther:
Both instances are pointing to the same session cookie. Invalidating one will invalidate the other.
Also, I'm not sure if the new instance (with MSIE) even makes a call to the server to get it's content or if it get's it from the cache. It wouldn't be hard to test for this, obviously.



Yes obviously invalidating one will invalidate the other. Since this application is a financial application this would be better.
 
Ben Souther
Sheriff
Posts: 13411
Firefox Browser Redhat VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
For power users (which you may very well have with a financial app) this behaviour can be useful. Someone could have two windows open for one particular client and then open a third window for a different client without disturbing the first two.

For less intellegent users, this is just an all around PITA.

Let me know what you come up with.

-Ben
 
Srinivasa Raghavan
Ranch Hand
Posts: 1228
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Ben Souther:
For power users (which you may very well have with a financial app) this behaviour can be useful. Someone could have two windows open for one particular client and then open a third window for a different client without disturbing the first two.

For less intellegent users, this is just an all around PITA.
-Ben


Yes Ben, I'm planning to invalidate the session for all the heirarchy of users except the power users. Thanks a dude.
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!