Win a copy of Kotlin in Action this week in the Kotlin forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic

Is it possible to merge two session?  RSS feed

 
Yuriy Zilbergleyt
Ranch Hand
Posts: 429
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Say a user logs in twice into a J2EE web app from two different browser instances, therefore creating two sessions. Is it possible to merge the sessions into one, so each browser instance receives the same session id?

Thank you,
Yuriy
 
Gregg Bolinger
Ranch Hand
Posts: 15304
6
Chrome IntelliJ IDE Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Why would you want to do that even if it is possible?
 
Yuriy Zilbergleyt
Ranch Hand
Posts: 429
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
In our application there might be a problem if the same user interacts with the system from multiple sessions. One solution could be to invalidate the older active session, if one exists, for a user who just logged in. But I think it would be better to just keep the older session active and use it for the new browser instance as well. That way the user can switch between the browsers and keep working.

I know that sessions can be stored in the ServletContext, probably in a map with the userid as the key, but I'm not sure how to tell the response and request objects to switch to a preexisting session. Request probably isn't necessary to switch, as the old session can be stored as an attribute and another attribute can tell servlets and jsps to use that session. Response however must be changed. Maybe manual fiddling with the headers, or could there be some function?
 
Yuriy Zilbergleyt
Ranch Hand
Posts: 429
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hmm, just read in Head First JSP & Servlets that JSESSIONID is a cookie. Can this cookie be manually overwritten from a servlet without the container messing with it later on?
 
Jeanne Boyarsky
author & internet detective
Sheriff
Posts: 37230
519
Eclipse IDE Java VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Yuriy,
I wouldn't change the jsession id value. You could just copy over the relevant data to the new session and then invalidate the first one.
 
Jeroen Wenting
Ranch Hand
Posts: 5093
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Would be so nice wouldn't it?

I log in from my machine to my bank's web interface. Someone else enters my account number and because I'm logged in the server merges the sessions and he can see whatever I do and sneak in transactions emptying my account into his own.

That's why sessions should never communicate!
 
Yuriy Zilbergleyt
Ranch Hand
Posts: 429
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I wouldn't change the jsession id value. You could just copy over the relevant data to the new session and then invalidate the first one.

But assuming that I don't want to invalidate the old session, I can merge the two, right?

Would be so nice wouldn't it?

I log in from my machine to my bank's web interface. Someone else enters my account number and because I'm logged in the server merges the sessions and he can see whatever I do and sneak in transactions emptying my account into his own.

That's why sessions should never communicate!


A person entering from the other session would still have to log in using the username and password. It's only afterwards that the sessions would be merged.
[ March 25, 2005: Message edited by: Yuriy Zilbergleyt ]
 
Yuriy Zilbergleyt
Ranch Hand
Posts: 429
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
All right, after talking to my coworkers I have realized that merging session would not work for us because it would break our javascript references to different windows open under a session. Another problem came up though, which I will ask about in a different topic.

Thank you for your replies,
Yuriy
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!