tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ingmar Lötzsch <iloetz...@asci-systemhaus.de>
Subject Re: how to invalidate old sessions when new user access appl on same machine
Date Fri, 19 Dec 2008 13:26:43 GMT
Hello,

you can use the Sevlet API. First call invalidate() on the actual
HttpSession instance and then getSession(true) on the request object
(HttpServletRequest) to start a new session.

Nicolas Romantzoff schrieb:
> Thats a problem in your server code...
> 
> Session is binded to a connection (browser session) basically, not a
> machine.
> If you open a second browser (or a second tab) you should get a different
> session-id.

That's dependent on the browser and maybe the user settings. I'am using
Firefox and I'am happy, that Firefox uses the same session in all
windows for the same host.

> Don't use JSESSIONID in url parameters, but in session cookie (unless you
> need to cross protocols like http <-> https)

Shouldn't this be transparent to the developper?

> For security, you will have to bind an 'ending' date to the session's
> authentication.

Isn't the session timeout enough?

> Nicolas Romantzoff
> General Manager
> Tél.: (+33) 478 53 65 17 
> 
> 
> -----Original Message-----
> From: Vishnu Vardhana Reddy [mailto:vishnu490@gmail.com]
> Sent: Friday, 19 December, 2008 12:55
> To: users@tomcat.apache.org
> Subject: how to invalidate old sessions when new user access appl on same
> machine
> 
> 
> hi all,
> 
> I am using Mozilla browser to access my web application.User one access my
> application using his credentials .but i left that browser open.after that I
> am opening the another Mozilla window and accessing my application using
> different credentials ex:user2 credentials .user 2 also can access my
> application.but when i open the first browser ..am automatically getting
> second user session.how can we avoid this problem.
> 
> Application is using session identifier(jSessionID) as the URL parameter for
> session management.
> 
> is it possible to invalidate the old session when new user access on same
> machine.
> 
> thanks,
> Vishnu
> --
> View this message in context:
> http://www.nabble.com/how-to-invalidate-old-sessions-when-new-user-access-ap
> pl-on-same-machine-tp21090090p21090090.html
> Sent from the Tomcat - User mailing list archive at Nabble.com.
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
> 
> 
> 
>   _____  
> 
> avast! Antivirus <http://www.avast.com> : Outbound message clean. 
> 
> 
> Virus Database (VPS): 081218-0, 2008-12-18
> Tested on: 2008-12-19 13:54:20
> avast! - copyright (c) 1988-2008 ALWIL Software.
> 
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message