tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Smith <>
Subject Re: OT: Sessions
Date Thu, 28 Jun 2007 12:25:29 GMT
The problem is you are allowing two users to login to what tomcat sees 
as the same browser window.  When you do Ctrl-N from IE or just anything 
method of creating a new window from Firefox, it's on the same process 
and has access to all the same cookies as the first one.  To handle the 
issue properly requires you actually check to see if there is a 
pre-existing session before allowing the user to login.  Force the first 
user to log-out before allowing another to login from the same browser 
window (or any of it's session sharing siblings).  Alternatively you 
could automatically logout the first user when the second one log's in 
since it's obvious the first user is no longer present.

In the login page, just do a check:

  <c:when test="${not empty userName}">
    <!-- Ship back an error -->
    <!-- Display the login page -->

You'll be much happier if your app design allows for only one user from 
any given client browser process regardless of multiple windows.  It 
also enforces the security you appear to be after with fine grained 
audit logs.

--David wrote:
> Hi:
> Thanks David, Chris and Martin for the responses. I appreciate them. May be I didn't
explain the situation properly in my posting. I will try to explain better -
> The application has pretty decent authentication mechanism that differentiates between
users, roles and permissions etc. What the application need to maintain is user object information
specifically - name, role, dept - to be used across other pages of the application. Since
we are using session as datum -  after 2nd user logs in ... the 1st user object is overwritten
with 2nd user information. This creates problems specifically while logging out. In the application
we are making sure that only one user login is allowed per user. This also complicates when
we are attempting to create audit log of the user operations. Even though an operation is
performed by the 1st user the audit log registers it as the operation performed by 2nd user.
This messes up the whole point of creating audit logs.  Also, for the question of Chris -
there could be a need for two different users with different roles could try to login and
that is when we are having this problem. Thanks again for the fe
>  edback.
> regards,
> vasu
> ---- Christopher Schultz <> wrote: 
>> Hash: SHA1
>> Vasu,
>> wrote:
>>> Since we are using Session Attributes to keep track of User
>>> Information - this gets mangled when we try to login to application
>>> from the same browser (in FireFox) and Ctrl-N from IE (in other words
>>> the person who gets logged in will overwrite the current user's
>>> attribute thus losing first user information).
>> Just to be sure I understand:
>> You have an application that uses sessions.
>> When the user logs-in in one window, then opens another window and
>> logs-in again, the first user's session appears to go away, and both
>> windows now point to the new login?
>> If that's what you are describing, then it is expected behavior if you
>> are using cookies for session management.
>> When cookies are used, the browser sends a cookie with each request. The
>> cookie chosen by the browser is based on the hostname and path being
>> used for the request (say,
>> When you login from the second window, your browser deletes the ole
>> JSESSIONID cookie and replaces it with the new one (from the new login).
>> Both windows will send the same cookie from then on, essentially
>> cutting-off the first user.
>>> So, I am wondering whether you all have any recommendations/inputs to
>>> avoid this scenario. Thanks in advance. I did check the google and
>>> other search tools, but could not locate anything useful.
>> One way to get around this is to turn off the use of cookies for session
>> tracking. Search the web or the archives of this list (or read the
>> Tomcat docs) to see how to do this. REMEMBER that if you aren't using
>> cookies, /every single URL to emit must be sent through
>> HttpServletRequest.encodeURL/, otherwise clicking on a (non-encoded)
>> link will appear to lose the session.
>> My last question would be: why do you need to have multiple windows with
>> separate logins?
>> - -chris
>> Version: GnuPG v1.4.7 (MingW32)
>> Comment: Using GnuPG with Mozilla -
>> RNrnxDmhylsMfU/bbqWYCRo=
>> =mlah
>> -----END PGP SIGNATURE-----
>> ---------------------------------------------------------------------
>> To start a new topic, e-mail:
>> To unsubscribe, e-mail:
>> For additional commands, e-mail:
> ---------------------------------------------------------------------
> To start a new topic, e-mail:
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message