struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From RajibJana <>
Subject Re: Struts 2 session problem
Date Sat, 17 Jan 2009 08:16:47 GMT

Thanks Wes  for your reply.

The application requires userid info for various reasons like authorization,
auditing etc.  Hidden key (security reason)  or cookies ( may be disabled)
are not the good way to handle this situation. I am wondering whether this
is not a common requirement for any web app where we  need to keep some
information that can be accessed for a particular user session. I hoped that
Struts 2 is capable to handle user session.

I am in a fix,  may I need to look other frameworks like Seam? 



Wes Wannemacher wrote:
> On Saturday 17 January 2009 00:23:49 RajibJana wrote:
>> 1) A User opens a browser window( IE 7/Firfox) and logs in the
>> application
>> as User X and the application shows the logged in userid as X and DB
>> transactions also get userid info as X.
>> 2) The same user opens a bowser tab or new window from the opened window
>> (
>> from where he logged in as X), and logs in the application as User Y. Now
>> userid Y overrides the userid X in session map( as no new session is not
>> opened, I guess) and I get userid as Y in both the browser tabs. My
>> application breaks.
>> 3) If the user opens a new browser instance, then a new session is
>> created
>> and both the windows have their own user id info( i.e. userid doesnt
>> override)
> I don't know if you will be able to fix your problem as long as you use a
> form 
> of authorization that relies on the session. Each browser tab will
> continue 
> using the session that is already established. 
> Although I would not suggest this for a production application, but if
> this 
> behavior is a requirement for your application, then you could try hiding
> a 
> key within the page (a hidden input field) and also appending the key to
> each 
> request URL. This is a very bad way to do it because it will be easy to
> hijack 
> a session. Especially in cases where the user is clicking a link and the
> key 
> will be visible in the GET request. 
> I would consider whether your requirement is a development-time
> requirement... 
> Meaning, is this something you need for testing your app? Or is this
> something 
> the users will need? If it is something that the users need, consider re-
> factoring before you hide key fields as I suggest above. If this is
> something 
> you need for testing and development, then try to find a browser plugin
> that 
> allows you to gain finer control over your cookies so that you can control
> the 
> sessions while you work.
> -Wes
> -- 
> Wes Wannemacher
> Author - Struts 2 In Practice 
> Includes coverage of Struts 2.1, Spring, JPA, JQuery, Sitemesh and more
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

View this message in context:
Sent from the Struts - User mailing list archive at

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message