tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From <>
Subject Re: OT: Sessions
Date Thu, 28 Jun 2007 04:27:38 GMT


Thanks David, Chris and Martin for the responses. I appreciate them. May be I didn't explain
the situation properly in my posting. I will try to explain better -

The application has pretty decent authentication mechanism that differentiates between users,
roles and permissions etc. What the application need to maintain is user object information
specifically - name, role, dept - to be used across other pages of the application. Since
we are using session as datum -  after 2nd user logs in ... the 1st user object is overwritten
with 2nd user information. This creates problems specifically while logging out. In the application
we are making sure that only one user login is allowed per user. This also complicates when
we are attempting to create audit log of the user operations. Even though an operation is
performed by the 1st user the audit log registers it as the operation performed by 2nd user.
This messes up the whole point of creating audit logs.  Also, for the question of Chris -
there could be a need for two different users with different roles could try to login and
that is when we are having this problem. Thanks again for the fe


---- Christopher Schultz <> wrote: 
> Hash: SHA1
> Vasu,
> wrote:
> > Since we are using Session Attributes to keep track of User
> > Information - this gets mangled when we try to login to application
> > from the same browser (in FireFox) and Ctrl-N from IE (in other words
> > the person who gets logged in will overwrite the current user's
> > attribute thus losing first user information).
> Just to be sure I understand:
> You have an application that uses sessions.
> When the user logs-in in one window, then opens another window and
> logs-in again, the first user's session appears to go away, and both
> windows now point to the new login?
> If that's what you are describing, then it is expected behavior if you
> are using cookies for session management.
> When cookies are used, the browser sends a cookie with each request. The
> cookie chosen by the browser is based on the hostname and path being
> used for the request (say,
> When you login from the second window, your browser deletes the ole
> JSESSIONID cookie and replaces it with the new one (from the new login).
> Both windows will send the same cookie from then on, essentially
> cutting-off the first user.
> > So, I am wondering whether you all have any recommendations/inputs to
> > avoid this scenario. Thanks in advance. I did check the google and
> > other search tools, but could not locate anything useful.
> One way to get around this is to turn off the use of cookies for session
> tracking. Search the web or the archives of this list (or read the
> Tomcat docs) to see how to do this. REMEMBER that if you aren't using
> cookies, /every single URL to emit must be sent through
> HttpServletRequest.encodeURL/, otherwise clicking on a (non-encoded)
> link will appear to lose the session.
> My last question would be: why do you need to have multiple windows with
> separate logins?
> - -chris
> Version: GnuPG v1.4.7 (MingW32)
> Comment: Using GnuPG with Mozilla -
> RNrnxDmhylsMfU/bbqWYCRo=
> =mlah
> ---------------------------------------------------------------------
> To start a new topic, e-mail:
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message