tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From sica...@WellsFargo.COM
Subject RE: Session persistence question
Date Wed, 23 Aug 2000 16:45:45 GMT
Matt:
Thanks much for your answer.

We finally made some headway on the problem after we discovered that cookies
had been reenabled on the test machine.. Arrrrrrgh. 
The good old "We were assuming" was at work again. We are tracking session
using URL rewriting only and the fact that were getting the same session
from subsequent browser instances which did not make sense. 
Also, we had to delete transient files in the browser so as to start with a
clean slate....

But, yes, in a nutshell, all instances of a browser share the same cookie
set. If the browser is configured to accept them then the session is valid
for all instances.

Patrice



-----Original Message-----
From: Matt Goss [mailto:mgoss@rtci.com]
Sent: Wednesday, August 23, 2000 6:13 AM
To: tomcat-user@jakarta.apache.org
Subject: Re: Session persistence question


This is an unfortunate side effect of the way Browsers track sessions. At
this
current time, sessions are only tracked per browser (ie. machine), not per
browser window. For instance if you are using ie and you have a session
cookie
set. As long as you are using ie and that cookie is valid, you will have the
same session for any window ie opens. The same scenario works for goes for
Netscape.
I don't think there is a way around this, but if there is I would love to
hear
it! :)
Matt Goss

sicaudp@WellsFargo.COM wrote:

> > All:
> > We have observed the following behavior:
> >
> > 1. login.html accepts user information and passes if to a servlet called
> > LoginHandler
> > 2.  LoginHandler servlet creates a session and puts a String loginDone
in
> > the session object.
> >
> >       HttpSession session = request.getSession(true);
> >       session.putValue("loginDone", userName);
> >
> > 3. for every jsp and servlet we check out if the user is logged on or
not,
> >     If s/he is not logged on we redirect the user to login screen
> >
> >       if (loginDone == null){
> >               response.sendRedirect("/login.html");
> >       }
> >
> > It works fine but the problem is when the user has already logged in and
> > s/he creates a new browser instance s/he is not redirected the login
> > screen because the loginDone is not null for the new browser screen. I
> > want to force her to login in this case. I tried this with both IE5 and
NS
> > web browers.
> > "session.isNew()" is false, loginDone contains the user name and
> > session.getId() contains the same session id.
> >       A new session is created only if we launch a different browser or
> > restart the web server.
> >
> >      We are using iPlanet web server 4.1 running on HP/UX.
> >
> >      So... the question is:
> >     is the expected behavior for the servlet engine to encompass all
> > instances of the *same* browser in the same session? Does the browser
> > cache        previously hit URLs (with the embedded sessionid). We
though
> > that every instance of the browser would start cleanly and that it would
> > know nothing about previous sessions.
> >     Any assistance would be appreciated...
> >

Mime
View raw message