tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Propes, Barry L " <>
Subject RE: OT: Sessions
Date Tue, 03 Jul 2007 15:11:38 GMT
sounds almost like some MetaFrame connection or something, then running the app on that particular
Is that what's going on here?

-----Original Message-----
From: Christopher Schultz []
Sent: Thursday, June 28, 2007 8:20 AM
Cc: Tomcat Users List
Subject: Re: OT: Sessions

Hash: SHA1

Vasu, wrote:
> The application has pretty decent authentication mechanism that 
> differentiates between users, roles and permissions etc. What the 
> application need to maintain is user object information specifically 
> - name, role, dept - to be used across other pages of the 
> application. Since we are using session as datum -  after 2nd user 
> logs in ... the 1st user object is overwritten with 2nd user 
> information.

Please be clear: is one session being hijacked by the second user, or is
the second user getting a new session that both users are then using.
(Check the session ids).

> This creates problems specifically while logging out. In the
> application we are making sure that only one user login is allowed
> per user.

This "feature" leads to all kinds of pain, IMO.

> This also complicates when we are attempting to create audit log of
> the user operations. Even though an operation is performed by the 1st
> user the audit log registers it as the operation performed by 2nd
> user.

Again, please check the session ids. If both users are sharing a session
(which I'm guessing is the case), then it's not really "user 1" that is
issuing that request... it's "user 2", and "user 1" has effectively been
logged-out of the system.

Once again: why do you need to support different users in separate
windows on the same machine?

> This messes up the whole point of creating audit logs.  Also, for the
> question of Chris - there could be a need for two different users
> with different roles could try to login and that is when we are
> having this problem.

I still don't get it. Why would two users login from the same machine at
the same time? Is this just something that you are running across during
testing, or do you actually want to support this use case?

If you need to support this use case, you /must/ abandon cookie-based
session management. Force your app server to do URL-rewriting and this
problem should go away immediately. See my previous post for some caveats.

- -chris
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla -


To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message