How to differ sessions in browser-tabs

Question

In a web-application implemented in java using JSP and Servlets  if I store information in the user session  this information is shared from all the tabs from the same browser  How to differ sessions in the browser-tabs   In this example     lt   page language  java   gt   lt   String user   request getParameter  user    user    user    null    String session getAttribute  SESSIONS USER     user   session setAttribute  SESSIONS USER  user     gt   lt html gt  lt head gt  lt  head gt  lt body gt   lt   user   gt   lt form method  post  gt  User  lt input name  user  value    gt   lt input type  submit  value  send  gt   lt  form gt   lt  body gt  lt  html gt    Copy this code in a jsp page  testpage jsp   deploy this file in an existing context of a web application on the server  I use Apache Tomcat   then open a browser  FF  IE7 or Opera  using the correct URL  localhost context1 testpage jsp   type your name in the input and submit the form  Then open a new tab in the same browser  and then you can see your name  get from the session  on the new tab  Be careful with the browser-cache  sometimes seems that it doesn t happen  but it s in the cache  refresh the second tab   Thanks

User · Answer

I resolved this of following way    I ve assigned a name to window this name is the same of connection resource  plus 1 to rid stored in cookie for attach connection  I ve created a function to capture all xmloutput response and assign sid and rid to cookie in json format  I do this for each window name    here the code   var deferred    q defer            self   this          onConnect   function status             if  status     Strophe Status CONNECTING                deferred notify  status   connecting                 else if  status     Strophe Status CONNFAIL                self connected   false              deferred notify  status   fail                 else if  status     Strophe Status DISCONNECTING                deferred notify  status   disconnecting                 else if  status     Strophe Status DISCONNECTED                self connected   false              deferred notify  status   disconnected                 else if  status     Strophe Status CONNECTED                self connection send  pres   tree                 self connected   true              deferred resolve  status   connected                 else if  status     Strophe Status ATTACHED                deferred resolve  status   attached                 self connected   true                                 output   function data             if  self connected               var rid     data  attr  rid                    sid     data  attr  sid                    storage                    if  localStorageService cookie get  day bind                   storage   localStorageService cookie get  day bind                 else                storage                                 storage  window name    sid    -    rid              localStorageService cookie set  day bind   angular toJson storage                               if   window name         var storage   localStorageService cookie get  day bind              value   storage  window name  split  -             sid   value 0             rid   value 1         self connection   new Strophe Connection BoshService         self connection xmlOutput   output        self connection attach  bosh     BoshDomain          window name  sid  parseInt rid  10    1  onConnect        else         window name    web      new Date    getTime          self connection   new Strophe Connection BoshService         self connection xmlOutput   output        self connection connect  bosh     BoshDomain          window name   123456   onConnect           I hope help you

User · Answer

You have to realize that server-side sessions are an artificial add-on to HTTP  Since HTTP is stateless  the server needs to somehow recognize that a request belongs to a particular user it knows and has a session for  There are 2 ways to do this    Cookies  The cleaner and more popular method  but it means that all browser tabs and windows by one user share the session - IMO this is in fact desirable  and I would be very annoyed at a site that made me login for each new tab  since I use tabs very intensively URL rewriting  Any URL on the site has a session ID appended to it  This is more work  you have to do something everywhere you have a site-internal link   but makes it possible to have separate sessions in different tabs  though tabs opened through link will still share the session  It also means the user always has to log in when he comes to your site    What are you trying to do anyway  Why would you want tabs to have separate sessions  Maybe there s a way to achieve your goal without using sessions at all   Edit  For testing  other solutions can be found  such as running several browser instances on separate VMs   If one user needs to act in different roles at the same time  then the  role  concept should be handled in the app so that one login can have several roles  You ll have to decide whether this  using URL rewriting  or just living with the current situation is more acceptable  because it s simply not possible to handle browser tabs separately with cookie-based sessions

User · Answer

Storing the timeStamp in window sessionStorage if it is not already set  This will give a unique value for each tab even if the URLs are same   http   www javascriptkit com javatutors domstorage shtml  https   developer mozilla org en-US docs Web Guide API DOM Storage  Hope this helps

User · Answer

I think what you probably want is to maintain navigation state across tabs and not specifically creating a single session per tab  This is exactly what the Seam framework achieves with their Conversation scope context  Their implementation relies on the fact that a conversation id is propagated with each request and creates the notion of a conversation on the server side  which is something that lies between a session and a request  It allows for navigation flow control and state management   Although that s mainly aimed at JSF  have a look and check if that s something where you can take some ideas from  http   docs jboss org seam latest reference en-US html single  d0e3620

User · Answer

I see many implementations which have client side changes to manipulate session id cookies  But in general session id cookies should be HttpOnly so java-script cannot access otherwise it may lead to Session Hijack thru XSS

User · Answer

I resolved this of following way    I ve assigned a name to window this name is the same of connection resource  plus 1 to rid stored in cookie for attach connection  I ve created a function to capture all xmloutput response and assign sid and rid to cookie in json format  I do this for each window name    here the code   var deferred    q defer            self   this          onConnect   function status             if  status     Strophe Status CONNECTING                deferred notify  status   connecting                 else if  status     Strophe Status CONNFAIL                self connected   false              deferred notify  status   fail                 else if  status     Strophe Status DISCONNECTING                deferred notify  status   disconnecting                 else if  status     Strophe Status DISCONNECTED                self connected   false              deferred notify  status   disconnected                 else if  status     Strophe Status CONNECTED                self connection send  pres   tree                 self connected   true              deferred resolve  status   connected                 else if  status     Strophe Status ATTACHED                deferred resolve  status   attached                 self connected   true                                 output   function data             if  self connected               var rid     data  attr  rid                    sid     data  attr  sid                    storage                    if  localStorageService cookie get  day bind                   storage   localStorageService cookie get  day bind                 else                storage                                 storage  window name    sid    -    rid              localStorageService cookie set  day bind   angular toJson storage                               if   window name         var storage   localStorageService cookie get  day bind              value   storage  window name  split  -             sid   value 0             rid   value 1         self connection   new Strophe Connection BoshService         self connection xmlOutput   output        self connection attach  bosh     BoshDomain          window name  sid  parseInt rid  10    1  onConnect        else         window name    web      new Date    getTime          self connection   new Strophe Connection BoshService         self connection xmlOutput   output        self connection connect  bosh     BoshDomain          window name   123456   onConnect           I hope help you

User · Answer

The window name Javascript property  is the only thing that will persist across tab activity  but can remain independent  instead of URL guff

User · Answer

Storing the timeStamp in window sessionStorage if it is not already set  This will give a unique value for each tab even if the URLs are same   http   www javascriptkit com javatutors domstorage shtml  https   developer mozilla org en-US docs Web Guide API DOM Storage  Hope this helps

User · Answer

I ve been reading this post because I thought I wanted to do the same thing  I have a similar situation for an application I m working on  And really it s a matter of testing more than practicality   After reading these answers  especially the one given by Michael Borgwardt  I realized the work flow that needs to exist    If the user navigates to the login screen  check for an existing session  If one exists bypass the login screen and send them to the welcome screen  If the user  in my case  navigates to the enrollment screen  check for an existing session  If one exists  let the user know you re going to log that session out  If they agree  log out  and begin enrollment    This will solve the problem of user s seeing  another user s  data in their session  They aren t really seeing  another user s  data in their session  they re really seeing the data from the only session they have open  Clearly this causes for some interesting data as some operations overwrite some session data and not others so you have a combination of data in that single session   Now  to address the testing issue  The only viable approach would be to leverage Preprocessor Directives to determine if cookie-less sessions should be used  See  by building in a specific configuration for a specific environment I m able to make some assumptions about the environment and what it s used for  This would allow me to technically have two users logged in at the same time and the tester could test multiple scenarios from the same browser session without ever logging out of any of those server sessions   However  this approach has some serious caveats  Not least of which is the fact that what the tester is testing is not what s going to run in production   So I think I ve got to say  this is ultimately a bad idea

User · Answer

Another approach that works is to create a unique window id and store this value along with the session id in a database table   The window id I often use is integer now    This value is created when a window is opened and re-assigned to the same window if the window is refreshed  reloaded or submitted to itself   Window values  inputs  are saved in the local table using the link   When a value is required  it is obtained from the database table based on the window id   session id link   While this approach requires a local database  it is virtually foolproof   The use of a database table was easy for me  but I see no reason why local arrays would not work just as well

User · Answer

I ve been reading this post because I thought I wanted to do the same thing  I have a similar situation for an application I m working on  And really it s a matter of testing more than practicality   After reading these answers  especially the one given by Michael Borgwardt  I realized the work flow that needs to exist    If the user navigates to the login screen  check for an existing session  If one exists bypass the login screen and send them to the welcome screen  If the user  in my case  navigates to the enrollment screen  check for an existing session  If one exists  let the user know you re going to log that session out  If they agree  log out  and begin enrollment    This will solve the problem of user s seeing  another user s  data in their session  They aren t really seeing  another user s  data in their session  they re really seeing the data from the only session they have open  Clearly this causes for some interesting data as some operations overwrite some session data and not others so you have a combination of data in that single session   Now  to address the testing issue  The only viable approach would be to leverage Preprocessor Directives to determine if cookie-less sessions should be used  See  by building in a specific configuration for a specific environment I m able to make some assumptions about the environment and what it s used for  This would allow me to technically have two users logged in at the same time and the tester could test multiple scenarios from the same browser session without ever logging out of any of those server sessions   However  this approach has some serious caveats  Not least of which is the fact that what the tester is testing is not what s going to run in production   So I think I ve got to say  this is ultimately a bad idea

User · Answer

I ll be honest here     everything above may or may not be true  but it all seems WAY too complicated  or doesn t address knowing what tab is being used server side     Sometimes we need to apply Occam s razor     Here s the Occam s approach   no  I m not Occam  he died in 1347   1  assign a browser unique id to your page on load      if and only if the window doesn t have an id yet  so use a prefix and a detection   2  on every page you have  use a global file or something  simply put code in place to detect the focus event and or mouseover event   I ll use jquery for this part  for ease of code writing   3  in your focus  and or mouseover  function  set a cookie with the window name in it  4  read that cookie value from your server side when you need to read write tab specific data   Client side     Events    window  ready function    generateWindowID        window  focus function    setAppId        window  mouseover function    setAppId        function generateWindowID           first see if the name is already set  if not  set it      if  se appframe   name indexOf  SEAppId      -1                window name    SEAppId     new Date    getTime             setAppId      function setAppId           generate the cookie     strCookie    seAppId     se appframe   name            strCookie      path          if  window location protocol toLowerCase       https             strCookie      secure               document cookie   strCookie      server side  C  - for example purposes      variable name  string varname       HttpCookie aCookie   Request Cookies  seAppId    if aCookie    null         varname    Request Cookies  seAppId   Value          varname      mySessionVariable      write session data  Session varname     ABC123      readsession data  String myVariable   Session varname     Done

User · Answer

Spring Session supports multiple session in same browser Look at the samples and implementation detail  http   docs spring io spring-session docs current reference html5 guides users html

User · Answer

You have to realize that server-side sessions are an artificial add-on to HTTP  Since HTTP is stateless  the server needs to somehow recognize that a request belongs to a particular user it knows and has a session for  There are 2 ways to do this    Cookies  The cleaner and more popular method  but it means that all browser tabs and windows by one user share the session - IMO this is in fact desirable  and I would be very annoyed at a site that made me login for each new tab  since I use tabs very intensively URL rewriting  Any URL on the site has a session ID appended to it  This is more work  you have to do something everywhere you have a site-internal link   but makes it possible to have separate sessions in different tabs  though tabs opened through link will still share the session  It also means the user always has to log in when he comes to your site    What are you trying to do anyway  Why would you want tabs to have separate sessions  Maybe there s a way to achieve your goal without using sessions at all   Edit  For testing  other solutions can be found  such as running several browser instances on separate VMs   If one user needs to act in different roles at the same time  then the  role  concept should be handled in the app so that one login can have several roles  You ll have to decide whether this  using URL rewriting  or just living with the current situation is more acceptable  because it s simply not possible to handle browser tabs separately with cookie-based sessions

User · Answer

You can use link-rewriting to append a unique identifier to all your URLs when starting at a single page  e g  index html jsp whatever   The browser will use the same cookies for all your tabs so everything you put in cookies will not be unique

User · Answer

you will need to do  1- store a cookie for accounts list  2- optional store a cookie for default one  3- store for each account with it s index like acc1  acc2  4- put in the url something represent the index of accounts and if not you will select the default one like google mail domain com 0 some-url    0 here represent the index of account also you may need to know how to use urlwrite  5- when select a cookie  select it according to your urlpath represent the account index  Regards

User · Answer

You shouldn t  If you want to do such a thing either you need to force user to use a single instance of your application by writing URLs on the fly use a sessionID alike  not sessionid it won t work  id and pass it in every URL   I don t know why you need it but unless you need make a totally unusable application don t do it

User · Answer

I ll be honest here     everything above may or may not be true  but it all seems WAY too complicated  or doesn t address knowing what tab is being used server side     Sometimes we need to apply Occam s razor     Here s the Occam s approach   no  I m not Occam  he died in 1347   1  assign a browser unique id to your page on load      if and only if the window doesn t have an id yet  so use a prefix and a detection   2  on every page you have  use a global file or something  simply put code in place to detect the focus event and or mouseover event   I ll use jquery for this part  for ease of code writing   3  in your focus  and or mouseover  function  set a cookie with the window name in it  4  read that cookie value from your server side when you need to read write tab specific data   Client side     Events    window  ready function    generateWindowID        window  focus function    setAppId        window  mouseover function    setAppId        function generateWindowID           first see if the name is already set  if not  set it      if  se appframe   name indexOf  SEAppId      -1                window name    SEAppId     new Date    getTime             setAppId      function setAppId           generate the cookie     strCookie    seAppId     se appframe   name            strCookie      path          if  window location protocol toLowerCase       https             strCookie      secure               document cookie   strCookie      server side  C  - for example purposes      variable name  string varname       HttpCookie aCookie   Request Cookies  seAppId    if aCookie    null         varname    Request Cookies  seAppId   Value          varname      mySessionVariable      write session data  Session varname     ABC123      readsession data  String myVariable   Session varname     Done

User · Answer

I think what you probably want is to maintain navigation state across tabs and not specifically creating a single session per tab  This is exactly what the Seam framework achieves with their Conversation scope context  Their implementation relies on the fact that a conversation id is propagated with each request and creates the notion of a conversation on the server side  which is something that lies between a session and a request  It allows for navigation flow control and state management   Although that s mainly aimed at JSF  have a look and check if that s something where you can take some ideas from  http   docs jboss org seam latest reference en-US html single  d0e3620

User · Answer

If it s because each tab will be running a different flow in your application  and mixing both flows causes problems  then it s better to  Regionalize  your session objects  so that each flow will use a different region of the session  This region can be implemented as simply as having different prefixes for each flow  or session object will hold multiple maps  one for each flow   and you use those maps instead of session attributes  the best though would be to extend your session class and use it instead

User · Answer

You can use link-rewriting to append a unique identifier to all your URLs when starting at a single page  e g  index html jsp whatever   The browser will use the same cookies for all your tabs so everything you put in cookies will not be unique

User · Answer

Another approach that works is to create a unique window id and store this value along with the session id in a database table   The window id I often use is integer now    This value is created when a window is opened and re-assigned to the same window if the window is refreshed  reloaded or submitted to itself   Window values  inputs  are saved in the local table using the link   When a value is required  it is obtained from the database table based on the window id   session id link   While this approach requires a local database  it is virtually foolproof   The use of a database table was easy for me  but I see no reason why local arrays would not work just as well

User · Answer

You shouldn t  If you want to do such a thing either you need to force user to use a single instance of your application by writing URLs on the fly use a sessionID alike  not sessionid it won t work  id and pass it in every URL   I don t know why you need it but unless you need make a totally unusable application don t do it

User · Answer

The window name Javascript property  is the only thing that will persist across tab activity  but can remain independent  instead of URL guff

User · Answer

I ve come up with a new solution  which has a tiny bit of overhead  but seems to be working so far as a prototype   One assumption is that you re in an honour system environment for logging in  although this could be adapted by rerequesting a password whenever you switch tabs   Use localStorage  or equivalent  and the HTML5 storage event to detect when a new browser tab has switched which user is active   When that happens  create a ghost overlay with a message saying you can t use the current window  or otherwise disable the window temporarily  you might not want it to be this conspicuous    When the window regains focus  send an AJAX request logging the user back in   One caveat to this approach  you can t have any normal AJAX calls  i e   ones that depend on your session  happen in a window that doesn t have the focus  e g  if you had a call happening after a delay   unless you manually make an AJAX re-login call before that   So really all you need do is have your AJAX function check first to make sure localStorage currently logged in user id     window yourAppNameSpace user id  and if not  log in first via AJAX   Another is race conditions  if you can switch windows fast enough to confuse it  you may end up with a relogin1- relogin2- ajax1- ajax2 sequence  with ajax1 being made under the wrong session   Work around this by pushing login AJAX requests onto an array  and then onstorage and before issuing a new login request  abort all current requests   The last gotcha to look out for is window refreshes   If someone refreshes the window while you ve got an AJAX login request active but not completed  it ll be refreshed in the name of the wrong person   In this case you can use the nonstandard beforeunload event to warn the user about the potential mixup and ask them to click Cancel  meanwhile reissuing an AJAX login request   Then the only way they can botch it is by clicking OK before the request completes  or by accidentally hitting enter spacebar  because OK is--unfortunately for this case--the default    There are other ways to handle this case  like detecting F5 and Ctrl R Alt R presses  which will work in most cases but could be thwarted by user keyboard shortcut reconfiguration or alternative OS use   However  this is a bit of an edge case in reality  and the worst case scenarios are never that bad  in an honour system configuration  you d be logged in as the wrong person  but you can make it obvious that this is the case by personalizing pages with colours  styles  prominently displayed names  etc    in a password configuration  the onus is on the last person who entered their password to have logged out or shared their session  or if this person is actually the current user  then there s no breach   But in the end you have a one-user-per-tab application that  hopefully  just acts as it should  without having to necessarily set up profiles  use IE  or rewrite URLs   Make sure you make it obvious in each tab who is logged into that particular tab  though

User · Answer

We had this problem and we solved it very easy  I mean easy because no programming involved  What we wanted to do was to let a user login to multiple account within same browser window without conflicting the sessions   So the solution was random subdomains   23423 abc com 242234 abc com 235643 abc com   So we asked our system admin to configure the SSL certificates for   abc com rather abc com Then with little code change  every time a user try to login  he gets logged in a tab with a random subdomain number  so each tab could have its own session independently  Also to avoid any conflict  we developed the random number using a hash or md5 of user id

User · Answer

You have to realize that server-side sessions are an artificial add-on to HTTP  Since HTTP is stateless  the server needs to somehow recognize that a request belongs to a particular user it knows and has a session for  There are 2 ways to do this    Cookies  The cleaner and more popular method  but it means that all browser tabs and windows by one user share the session - IMO this is in fact desirable  and I would be very annoyed at a site that made me login for each new tab  since I use tabs very intensively URL rewriting  Any URL on the site has a session ID appended to it  This is more work  you have to do something everywhere you have a site-internal link   but makes it possible to have separate sessions in different tabs  though tabs opened through link will still share the session  It also means the user always has to log in when he comes to your site    What are you trying to do anyway  Why would you want tabs to have separate sessions  Maybe there s a way to achieve your goal without using sessions at all   Edit  For testing  other solutions can be found  such as running several browser instances on separate VMs   If one user needs to act in different roles at the same time  then the  role  concept should be handled in the app so that one login can have several roles  You ll have to decide whether this  using URL rewriting  or just living with the current situation is more acceptable  because it s simply not possible to handle browser tabs separately with cookie-based sessions

User · Answer

I see many implementations which have client side changes to manipulate session id cookies  But in general session id cookies should be HttpOnly so java-script cannot access otherwise it may lead to Session Hijack thru XSS

User · Answer

We had this problem and we solved it very easy  I mean easy because no programming involved  What we wanted to do was to let a user login to multiple account within same browser window without conflicting the sessions   So the solution was random subdomains   23423 abc com 242234 abc com 235643 abc com   So we asked our system admin to configure the SSL certificates for   abc com rather abc com Then with little code change  every time a user try to login  he gets logged in a tab with a random subdomain number  so each tab could have its own session independently  Also to avoid any conflict  we developed the random number using a hash or md5 of user id

User · Answer

I developed a solution to this problem recently using Cookies  Here is a link to my solution  I have also included sample code of the solution using ASP NET  you should be able to adapt this to JSP or Servelets if you need    https   sites google com site sarittechworld track-client-windows

User · Answer

In javascript  how can I uniquely identify one browser window from another which are under the same cookiedbased sessionId  Essentially use window name  If its not set  set it to a unique value and use it  It will be different across tabs that belong to same session

User · Answer

If it s because each tab will be running a different flow in your application  and mixing both flows causes problems  then it s better to  Regionalize  your session objects  so that each flow will use a different region of the session  This region can be implemented as simply as having different prefixes for each flow  or session object will hold multiple maps  one for each flow   and you use those maps instead of session attributes  the best though would be to extend your session class and use it instead

User · Answer

You shouldn t  If you want to do such a thing either you need to force user to use a single instance of your application by writing URLs on the fly use a sessionID alike  not sessionid it won t work  id and pass it in every URL   I don t know why you need it but unless you need make a totally unusable application don t do it

User · Answer

Note  The solution here needs to be done at application design stage  It would be difficult to engineer this in later   Use a hidden field to pass around the session identifier   For this to work each page must include a form    lt form method  post  action   handler  gt      lt input type  hidden  name  sessionId  value  123456890123456890ABCDEF01    gt     lt input type  hidden  name  action  value      gt    lt  form gt    Every action on your side  including navigation  POSTs the form back  setting the action as appropriate   For  unsafe  requests  you could include another parameter  say containing a JSON value of the data to be submitted    lt input type  hidden  name  action  value  completeCheckout    gt   lt input type  hidden  name  data  value     cardNumber     4111111111111111           gt    As there are no cookies  each tab will be independent and will have no knowledge of other sessions in the same browser   Lots of advantages  particularly when it comes to security    No reliance on JavaScript or HTML5  Inherently protects against CSRF  No reliance on cookies  so protects against POODLE  Not vulnerable to session fixation  Can prevent back button use  which is desirable when you want users to follow a set path through your site  which means logic bugs that can sometimes be attacked by out-of-order requests  can be prevented     Some disadvantages    Back button functionality may be desired  Not very effective with caching as every action is a POST    Further information here

User · Answer

You can use HTML5 SessionStorage  window sessionStorage   You will generate a random id and save in session Storage per Browser Tab  Then each browser tab has his own Id       Data stored using sessionStorage do not persist across browser tabs    even if two tabs both contain webpages from the same domain origin  In   other words  data inside sessionStorage is confined to not just the   domain and directory of the invoking page  but the browser tab in   which the page is contained in  Contrast that to session cookies    which do persist data from tab to tab

User · Answer

you will need to do  1- store a cookie for accounts list  2- optional store a cookie for default one  3- store for each account with it s index like acc1  acc2  4- put in the url something represent the index of accounts and if not you will select the default one like google mail domain com 0 some-url    0 here represent the index of account also you may need to know how to use urlwrite  5- when select a cookie  select it according to your urlpath represent the account index  Regards

User · Answer

You can use link-rewriting to append a unique identifier to all your URLs when starting at a single page  e g  index html jsp whatever   The browser will use the same cookies for all your tabs so everything you put in cookies will not be unique

User · Answer

Spring Session supports multiple session in same browser Look at the samples and implementation detail  http   docs spring io spring-session docs current reference html5 guides users html

User · Answer

You can use HTML5 SessionStorage  window sessionStorage   You will generate a random id and save in session Storage per Browser Tab  Then each browser tab has his own Id       Data stored using sessionStorage do not persist across browser tabs    even if two tabs both contain webpages from the same domain origin  In   other words  data inside sessionStorage is confined to not just the   domain and directory of the invoking page  but the browser tab in   which the page is contained in  Contrast that to session cookies    which do persist data from tab to tab

User · Answer

You can use link-rewriting to append a unique identifier to all your URLs when starting at a single page  e g  index html jsp whatever   The browser will use the same cookies for all your tabs so everything you put in cookies will not be unique

User · Answer

In javascript  how can I uniquely identify one browser window from another which are under the same cookiedbased sessionId  Essentially use window name  If its not set  set it to a unique value and use it  It will be different across tabs that belong to same session

User · Answer

I developed a solution to this problem recently using Cookies  Here is a link to my solution  I have also included sample code of the solution using ASP NET  you should be able to adapt this to JSP or Servelets if you need    https   sites google com site sarittechworld track-client-windows

User · Answer

Note  The solution here needs to be done at application design stage  It would be difficult to engineer this in later   Use a hidden field to pass around the session identifier   For this to work each page must include a form    lt form method  post  action   handler  gt      lt input type  hidden  name  sessionId  value  123456890123456890ABCDEF01    gt     lt input type  hidden  name  action  value      gt    lt  form gt    Every action on your side  including navigation  POSTs the form back  setting the action as appropriate   For  unsafe  requests  you could include another parameter  say containing a JSON value of the data to be submitted    lt input type  hidden  name  action  value  completeCheckout    gt   lt input type  hidden  name  data  value     cardNumber     4111111111111111           gt    As there are no cookies  each tab will be independent and will have no knowledge of other sessions in the same browser   Lots of advantages  particularly when it comes to security    No reliance on JavaScript or HTML5  Inherently protects against CSRF  No reliance on cookies  so protects against POODLE  Not vulnerable to session fixation  Can prevent back button use  which is desirable when you want users to follow a set path through your site  which means logic bugs that can sometimes be attacked by out-of-order requests  can be prevented     Some disadvantages    Back button functionality may be desired  Not very effective with caching as every action is a POST    Further information here

User · Answer

You shouldn t  If you want to do such a thing either you need to force user to use a single instance of your application by writing URLs on the fly use a sessionID alike  not sessionid it won t work  id and pass it in every URL   I don t know why you need it but unless you need make a totally unusable application don t do it

User · Answer

How to differ sessions in browser-tabs    The most straightforward way to differ sessions in browser tabs is to disallow your particular domain to set cookies  That way  you can have separate sessions from separate tabs  Say you disallow cookies from this domain  www xyz com  You open Tab 1  login and start browsing  Then you open Tab 2  and you can login either as a same user or a different one  either way  you will have a session separate from Tab 1  And so on    But of course this is possible when you have control over the client side  Otherwise  the solutions prescribed by the folks here should apply

User · Answer

I ve come up with a new solution  which has a tiny bit of overhead  but seems to be working so far as a prototype   One assumption is that you re in an honour system environment for logging in  although this could be adapted by rerequesting a password whenever you switch tabs   Use localStorage  or equivalent  and the HTML5 storage event to detect when a new browser tab has switched which user is active   When that happens  create a ghost overlay with a message saying you can t use the current window  or otherwise disable the window temporarily  you might not want it to be this conspicuous    When the window regains focus  send an AJAX request logging the user back in   One caveat to this approach  you can t have any normal AJAX calls  i e   ones that depend on your session  happen in a window that doesn t have the focus  e g  if you had a call happening after a delay   unless you manually make an AJAX re-login call before that   So really all you need do is have your AJAX function check first to make sure localStorage currently logged in user id     window yourAppNameSpace user id  and if not  log in first via AJAX   Another is race conditions  if you can switch windows fast enough to confuse it  you may end up with a relogin1- relogin2- ajax1- ajax2 sequence  with ajax1 being made under the wrong session   Work around this by pushing login AJAX requests onto an array  and then onstorage and before issuing a new login request  abort all current requests   The last gotcha to look out for is window refreshes   If someone refreshes the window while you ve got an AJAX login request active but not completed  it ll be refreshed in the name of the wrong person   In this case you can use the nonstandard beforeunload event to warn the user about the potential mixup and ask them to click Cancel  meanwhile reissuing an AJAX login request   Then the only way they can botch it is by clicking OK before the request completes  or by accidentally hitting enter spacebar  because OK is--unfortunately for this case--the default    There are other ways to handle this case  like detecting F5 and Ctrl R Alt R presses  which will work in most cases but could be thwarted by user keyboard shortcut reconfiguration or alternative OS use   However  this is a bit of an edge case in reality  and the worst case scenarios are never that bad  in an honour system configuration  you d be logged in as the wrong person  but you can make it obvious that this is the case by personalizing pages with colours  styles  prominently displayed names  etc    in a password configuration  the onus is on the last person who entered their password to have logged out or shared their session  or if this person is actually the current user  then there s no breach   But in the end you have a one-user-per-tab application that  hopefully  just acts as it should  without having to necessarily set up profiles  use IE  or rewrite URLs   Make sure you make it obvious in each tab who is logged into that particular tab  though

User · Answer

How to differ sessions in browser-tabs    The most straightforward way to differ sessions in browser tabs is to disallow your particular domain to set cookies  That way  you can have separate sessions from separate tabs  Say you disallow cookies from this domain  www xyz com  You open Tab 1  login and start browsing  Then you open Tab 2  and you can login either as a same user or a different one  either way  you will have a session separate from Tab 1  And so on    But of course this is possible when you have control over the client side  Otherwise  the solutions prescribed by the folks here should apply

User · Answer

You have to realize that server-side sessions are an artificial add-on to HTTP  Since HTTP is stateless  the server needs to somehow recognize that a request belongs to a particular user it knows and has a session for  There are 2 ways to do this    Cookies  The cleaner and more popular method  but it means that all browser tabs and windows by one user share the session - IMO this is in fact desirable  and I would be very annoyed at a site that made me login for each new tab  since I use tabs very intensively URL rewriting  Any URL on the site has a session ID appended to it  This is more work  you have to do something everywhere you have a site-internal link   but makes it possible to have separate sessions in different tabs  though tabs opened through link will still share the session  It also means the user always has to log in when he comes to your site    What are you trying to do anyway  Why would you want tabs to have separate sessions  Maybe there s a way to achieve your goal without using sessions at all   Edit  For testing  other solutions can be found  such as running several browser instances on separate VMs   If one user needs to act in different roles at the same time  then the  role  concept should be handled in the app so that one login can have several roles  You ll have to decide whether this  using URL rewriting  or just living with the current situation is more acceptable  because it s simply not possible to handle browser tabs separately with cookie-based sessions

[jsp] How to differ sessions in browser-tabs?

Examples related to jsp

Examples related to servlets

Examples related to browser

Examples related to web-applications

Examples related to sessionid