Session shared in between tabs
Asked Answered
G

2

7

I have JAVA web application where I need to stop session being shared between browser tabs, meaning

User opens a browser, Logs into his account and opens a particular page in a new tab in the same browser. As per the default setting the session is shared to the new tab and the user is automatically logged-in to the new tab. Can anyone tell how this can be stopped so I can at least restrict this in few sensitive pages if not the entire application.

Grayish answered 5/6, 2011 at 13:26 Comment(2)
possible duplicate of How to differ sessions in browser-tabs?Soapy
are you using javascript in your applicationCarolinian
R
11

Usually cookies are used for session handling. Then all tabs and browser windows share the same session. But you can configure your servlet container to use URL rewrite instead of cookies. (Here is an example for Jetty.)

With URL rewrite the session is only identified via a URL parameter containing the session ID. So every internal URL of your web application has to be enhanced with this parameter using the method HttpServletResponse.encodeURL(). If you are using a web framework like Wicket, chances are good that this is already done for you.

With URL rewrite it is possible to have several indepedent sessions in different windows or tabs of the same browser instance.

Update: In response to the downvote I want to make clear the different behaviour of URL rewriting:

Let's assume the website's URL is http://webapp.com.

Cookies: Open http://webapp.com in the first browser tab.

The server creates a session and sends a cookie in the response.

The Browser stores the cookie.

Then open http://webapp.com in the second browser tab. The browser associates this URL with the recently stored cookie and adds the cookie to the request.

For the server there is no difference between requests from the first or second browser tab and responds from the same session. Sometimes this is the desired behaviour.

URL rewriting: Open http://webapp.com in the first browser tab.

The server creates a session with ID 1 and adds the parameter jsessionid=1 to every URL in the response page. No cookie is transferred.

All further requests to another page of the same webapp from the first browser tab include the session ID (for exeample 1).

Then open http://webapp.com from the second browser tab. Here is the difference! Because there is no cookie and no jsessionid parameter in the request, the server creates a new session (i.e. ID 2) and adds parameter jsessionid=2 to every URL contained in the response page. From now on all subsequent requests from the second browser tab are associated with session 2.

So you have two independend sessions in the same browser.

Respirator answered 5/6, 2011 at 16:9 Comment(5)
-1. Encoding the session ID in the URL does nothing except make the session ID available to the client in the absence of cookies. Cookies don't change across tabs, and neither does not session ID, resulting in the scenario where the URL encoded session ID remains the same across tabs.Soapy
There is a difference between cookies and URL rewriting. See my updated answer.Respirator
You still have a problem when the user opens a link of the first tab or copies the URL of the first tab in a new tab.Stalwart
Yes, this is true. If you need this, then URL rewriting is doesn't help. But it is better than nothing and enough for many use cases.Respirator
I've removed the downvote, but BalusC's point is valid. If the OP is attempting to prevent multiple tabs from being opened, then he has to resort to JavaScript trickery for all hyperlinks.Soapy
C
0

If you are using javascript i can provide you one work around. a)Have one hidden parameter in login screen, set the windowname for that hidden field b)when you are login (submiting the request) , in action class check if the request parameter is not null and it is equal to landing page, its a valid request, means comming to landing page by logining, if not redirect to invalid page.

Carolinian answered 25/7, 2012 at 7:10 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.