tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: OT: Sessions
Date Thu, 28 Jun 2007 13:20:15 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Vasu,

vnug@cox.net wrote:
> The application has pretty decent authentication mechanism that 
> differentiates between users, roles and permissions etc. What the 
> application need to maintain is user object information specifically 
> - name, role, dept - to be used across other pages of the 
> application. Since we are using session as datum -  after 2nd user 
> logs in ... the 1st user object is overwritten with 2nd user 
> information.

Please be clear: is one session being hijacked by the second user, or is
the second user getting a new session that both users are then using.
(Check the session ids).

> This creates problems specifically while logging out. In the
> application we are making sure that only one user login is allowed
> per user.

This "feature" leads to all kinds of pain, IMO.

> This also complicates when we are attempting to create audit log of
> the user operations. Even though an operation is performed by the 1st
> user the audit log registers it as the operation performed by 2nd
> user.

Again, please check the session ids. If both users are sharing a session
(which I'm guessing is the case), then it's not really "user 1" that is
issuing that request... it's "user 2", and "user 1" has effectively been
logged-out of the system.

Once again: why do you need to support different users in separate
windows on the same machine?

> This messes up the whole point of creating audit logs.  Also, for the
> question of Chris - there could be a need for two different users
> with different roles could try to login and that is when we are
> having this problem.

I still don't get it. Why would two users login from the same machine at
the same time? Is this just something that you are running across during
testing, or do you actually want to support this use case?

If you need to support this use case, you /must/ abandon cookie-based
session management. Force your app server to do URL-rewriting and this
problem should go away immediately. See my previous post for some caveats.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGg7WO9CaO5/Lv0PARAuSNAJ9XF2lkcERWqD3+mrzCq1ZLRiV9MgCgrDWM
w1GBpCFRhPFB0PCxybVtVpM=
=Xlgz
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message