• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Tim Cooke
  • Liutauras Vilda
  • Jeanne Boyarsky
  • paul wheaton
Sheriffs:
  • Ron McLeod
  • Devaka Cooray
  • Henry Wong
Saloon Keepers:
  • Tim Holloway
  • Stephan van Hulst
  • Carey Brown
  • Tim Moores
  • Mikalai Zaikin
Bartenders:
  • Frits Walraven

Is it possible to merge two session?

 
Ranch Hand
Posts: 429
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Say a user logs in twice into a J2EE web app from two different browser instances, therefore creating two sessions. Is it possible to merge the sessions into one, so each browser instance receives the same session id?

Thank you,
Yuriy
 
Ranch Hand
Posts: 15304
6
Mac OS X IntelliJ IDE Chrome
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Why would you want to do that even if it is possible?
 
Yuriy Zilbergleyt
Ranch Hand
Posts: 429
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
In our application there might be a problem if the same user interacts with the system from multiple sessions. One solution could be to invalidate the older active session, if one exists, for a user who just logged in. But I think it would be better to just keep the older session active and use it for the new browser instance as well. That way the user can switch between the browsers and keep working.

I know that sessions can be stored in the ServletContext, probably in a map with the userid as the key, but I'm not sure how to tell the response and request objects to switch to a preexisting session. Request probably isn't necessary to switch, as the old session can be stored as an attribute and another attribute can tell servlets and jsps to use that session. Response however must be changed. Maybe manual fiddling with the headers, or could there be some function?
 
Yuriy Zilbergleyt
Ranch Hand
Posts: 429
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hmm, just read in Head First JSP & Servlets that JSESSIONID is a cookie. Can this cookie be manually overwritten from a servlet without the container messing with it later on?
 
author & internet detective
Posts: 42024
916
Eclipse IDE VI Editor Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Yuriy,
I wouldn't change the jsession id value. You could just copy over the relevant data to the new session and then invalidate the first one.
 
Ranch Hand
Posts: 5093
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Would be so nice wouldn't it?

I log in from my machine to my bank's web interface. Someone else enters my account number and because I'm logged in the server merges the sessions and he can see whatever I do and sneak in transactions emptying my account into his own.

That's why sessions should never communicate!
 
Yuriy Zilbergleyt
Ranch Hand
Posts: 429
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I wouldn't change the jsession id value. You could just copy over the relevant data to the new session and then invalidate the first one.

But assuming that I don't want to invalidate the old session, I can merge the two, right?

Would be so nice wouldn't it?

I log in from my machine to my bank's web interface. Someone else enters my account number and because I'm logged in the server merges the sessions and he can see whatever I do and sneak in transactions emptying my account into his own.

That's why sessions should never communicate!


A person entering from the other session would still have to log in using the username and password. It's only afterwards that the sessions would be merged.
[ March 25, 2005: Message edited by: Yuriy Zilbergleyt ]
 
Yuriy Zilbergleyt
Ranch Hand
Posts: 429
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
All right, after talking to my coworkers I have realized that merging session would not work for us because it would break our javascript references to different windows open under a session. Another problem came up though, which I will ask about in a different topic.

Thank you for your replies,
Yuriy
 
He's dead Jim. Grab his tricorder. I'll get his wallet and this tiny ad:
Gift giving made easy with the permaculture playing cards
https://coderanch.com/t/777758/Gift-giving-easy-permaculture-playing
reply
    Bookmark Topic Watch Topic
  • New Topic