tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Matt Goss <mg...@rtci.com>
Subject Re: Session persistence question
Date Wed, 23 Aug 2000 13:13:04 GMT
This is an unfortunate side effect of the way Browsers track sessions. At this
current time, sessions are only tracked per browser (ie. machine), not per
browser window. For instance if you are using ie and you have a session cookie
set. As long as you are using ie and that cookie is valid, you will have the
same session for any window ie opens. The same scenario works for goes for
Netscape.
I don't think there is a way around this, but if there is I would love to hear
it! :)
Matt Goss

sicaudp@WellsFargo.COM wrote:

> > All:
> > We have observed the following behavior:
> >
> > 1. login.html accepts user information and passes if to a servlet called
> > LoginHandler
> > 2.  LoginHandler servlet creates a session and puts a String loginDone in
> > the session object.
> >
> >       HttpSession session = request.getSession(true);
> >       session.putValue("loginDone", userName);
> >
> > 3. for every jsp and servlet we check out if the user is logged on or not,
> >     If s/he is not logged on we redirect the user to login screen
> >
> >       if (loginDone == null){
> >               response.sendRedirect("/login.html");
> >       }
> >
> > It works fine but the problem is when the user has already logged in and
> > s/he creates a new browser instance s/he is not redirected the login
> > screen because the loginDone is not null for the new browser screen. I
> > want to force her to login in this case. I tried this with both IE5 and NS
> > web browers.
> > "session.isNew()" is false, loginDone contains the user name and
> > session.getId() contains the same session id.
> >       A new session is created only if we launch a different browser or
> > restart the web server.
> >
> >      We are using iPlanet web server 4.1 running on HP/UX.
> >
> >      So... the question is:
> >     is the expected behavior for the servlet engine to encompass all
> > instances of the *same* browser in the same session? Does the browser
> > cache        previously hit URLs (with the embedded sessionid). We though
> > that every instance of the browser would start cleanly and that it would
> > know nothing about previous sessions.
> >     Any assistance would be appreciated...
> >

Mime
View raw message