Mailing-List: contact user-help@struts.apache.org; run by ezmlm
Precedence: bulk
Reply-To: "Struts Users Mailing List" <user@struts.apache.org>
Received-SPF: pass (nike.apache.org: domain of lists@nabble.com designates
 216.139.236.158 as permitted sender)
Message-ID: <21514087.post@talk.nabble.com>
Date: Sat, 17 Jan 2009 00:16:47 -0800 (PST)
From: RajibJana <rajibjana@gmail.com>
To: user@struts.apache.org
Subject: Re: Struts 2 session problem
In-Reply-To: <200901170115.16030.wesw@wantii.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
References: <21513305.post@talk.nabble.com>
 <200901170115.16030.wesw@wantii.com>


Thanks Wes  for your reply.

The application requires userid info for various reasons like authorization,
auditing etc.  Hidden key (security reason)  or cookies ( may be disabled)
are not the good way to handle this situation. I am wondering whether this
is not a common requirement for any web app where we  need to keep some
information that can be accessed for a particular user session. I hoped that
Struts 2 is capable to handle user session.

I am in a fix,  may I need to look other frameworks like Seam? 

Thanks

Rajib


Wes Wannemacher wrote:
> 
> On Saturday 17 January 2009 00:23:49 RajibJana wrote:
>>
>> 1) A User opens a browser window( IE 7/Firfox) and logs in the
>> application
>> as User X and the application shows the logged in userid as X and DB
>> transactions also get userid info as X.
>> 2) The same user opens a bowser tab or new window from the opened window
>> (
>> from where he logged in as X), and logs in the application as User Y. Now
>> userid Y overrides the userid X in session map( as no new session is not
>> opened, I guess) and I get userid as Y in both the browser tabs. My
>> application breaks.
>> 3) If the user opens a new browser instance, then a new session is
>> created
>> and both the windows have their own user id info( i.e. userid doesnt
>> override)
>>
> 
> I don't know if you will be able to fix your problem as long as you use a
> form 
> of authorization that relies on the session. Each browser tab will
> continue 
> using the session that is already established. 
> 
> Although I would not suggest this for a production application, but if
> this 
> behavior is a requirement for your application, then you could try hiding
> a 
> key within the page (a hidden input field) and also appending the key to
> each 
> request URL. This is a very bad way to do it because it will be easy to
> hijack 
> a session. Especially in cases where the user is clicking a link and the
> key 
> will be visible in the GET request. 
> 
> I would consider whether your requirement is a development-time
> requirement... 
> Meaning, is this something you need for testing your app? Or is this
> something 
> the users will need? If it is something that the users need, consider re-
> factoring before you hide key fields as I suggest above. If this is
> something 
> you need for testing and development, then try to find a browser plugin
> that 
> allows you to gain finer control over your cookies so that you can control
> the 
> sessions while you work.
> 
> -Wes
> 
> -- 
> 
> Wes Wannemacher
> Author - Struts 2 In Practice 
> Includes coverage of Struts 2.1, Spring, JPA, JQuery, Sitemesh and more
> http://www.manning.com/wannemacher
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
> 
> 
> 

-- 
View this message in context: http://www.nabble.com/Struts-2-session-problem-tp21513305p21514087.html
Sent from the Struts - User mailing list archive at Nabble.com.


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org