Session for Login Module

Hi,

I have created Login module for my J2EE Web Application. It prohibits the multiple login. It means that if you have been logged in to the system from PC 1, you can log in from PC 2 but with warning. If you log in from PC 2, the session is granted to you and the PC 1 session is invalidated. it works well :).

Now, my problem is this....

I simulate the situation in one PC. I open two browsers. It works perfect, only one browser can connect to my system. However, problem comes if after I log in, I choose File->New in IE. It seems that the session is duplicated and both valid.

Any Idea?

Regards
Dave
LVL 16
suprapto45Asked:
Who is Participating?
 
objectsConnect With a Mentor Commented:
1. y
2. y (the session actually gets created on the server)

The session is a server side concept, the above techniques are used so the session id associated with a request is included in the request. The browser itself doesn't specially treat anything related to the session.
Without the session id somewhere in the request the server does not know what session it is related to (and typicically would start a new session)
0
 
objectsCommented:
Yes each instance of IE (containing possibly multiple windows) will share the same session when using cookies to manage sessions.
0
 
objectsCommented:
If you use URL rewriting it is the other way round, and each window has its own session.
0
Cloud Class® Course: Certified Penetration Testing

This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.

 
suprapto45Author Commented:
Hi objects,

So do you mean that for each PC, the session is only one and shared by many IE instances? Is this the behavior for all browsers (Mozilla, Netscape and etc)?

Regards
Dave
0
 
suprapto45Author Commented:
Hi,

ohhhh.....I get you objects...thx :)

So if you use File->New, the session will be shared but if you open a new IE from iexplore.exe, it will have its own session.


Thus,
" I choose File->New in IE. It seems that the session is duplicated and both valid."
has no solution to invalidate the session, correct?

Regards
Dave
0
 
bloodredsunConnect With a Mentor Commented:
>>So if you use File->New, the session will be shared but if you open a new IE from iexplore.exe, it will have its own session.

No.

What objects meant was that if you/your browser is using cookie based session tracking, then the sesison will be shared between all instances of the browser (whether they are tabs/new windows or what ever) as the browser instances share the cookie.

BUT, if you are using url-rewriting, where the session id id stored in the url, e.g. http://mysite.com/here/hello.jsp;jsessionid=123456789, this means that you can have multiple sessions in your browser as you might have one wondow that says:
http://mysite.com/here/hello.jsp;jsessionid=123456789
and another that says:
http://mysite.com/here/hello.jsp;jsessionid=987654321

which is two separate sessions.
0
 
bloodredsunCommented:
>>So do you mean that for each PC, the session is only one and shared by many IE instances? Is this the behavior for all browsers (Mozilla, Netscape and etc)?

Yes. All instances of a browser will share the same directory for storing cookies. This means that if a sesssion cookie has been assigned to you, all instances of THAT browser will share the same sesssion. Another browser would have a different session as it would have a different cookie, but again, all instances for that browser will share the same session cookie.

Not forgetting, of course, that if you use Url-rewriting, it's different ;-)
0
 
suprapto45Author Commented:
Hi,

Thx bloodredsun....but now I am confused. Let me try to find some materials to be read on :). I will ask questions again if I am in doubt.

Regards
Dave
0
 
Mayank SConnect With a Mentor Associate Director - Product EngineeringCommented:
>> Is this the behavior for all browsers (Mozilla, Netscape and etc)?

Man, if that were not the case, I would go mad ;-) if that were not there, then opening a link in a new window would also not work with the same session. And in that case, I wonder how I would manage to retain the same session if I open 10 EE questions in 10 new windows and ten yahoo mails in ten new Yahoo windows.... :-)
0
 
aozarovConnect With a Mentor Commented:
Hi bloodredsun :-)
I might be wrong here (as I didn't deal with it for a while) but I think the statement "Yes. All instances of a browser will share the same directory for storing cookies” doesn’t always apply in the case of Http sessions. If the session was created using a transient cookie (which is stored only in the memory of the browser) then that session will be visible only to that instance (and in the case of IE any other instances that were created using File->New as they share the same memory space). Such configuration is a vendor specific (e.g. for Weblogic -> http://e-docs.bea.com/wls/docs81/webapp/sessions.html [see Configuring WebLogic Server Session Cookies]).
Not sure what is the default for Tomcat or where you can configure it, anyone knows?
Do you think otherwise?
0
 
suprapto45Author Commented:
Hi All,

Thanks for your message :). I read some materials and would like to confirm with you all several things.

1. For session tracking, there are two different behavior, one is using cookie-enabled browser and another one is using URL rewriting (response.encodeURL). Am I on the right track?

2. Now, for the cookie-enabled browser, the session will be shared by all IE.
>> "if you/your browser is using cookie based session tracking, then the sesison will be shared between all instances of the browser" (bloodredsun)
But if you use URL rewriting, the session will not be shared but only specific to one IE (one session -> one IE), am I right? What happen if I am opening a new browser by File->New, will the session be specific to each browser using IE.

Thanks.

Regards
Dave
0
 
suprapto45Author Commented:
Hi,

After all my experiences, now I know that I am not good in session concepts :).

Regards
Dave
0
 
objectsCommented:
1. correct

2. with url rewriting the session id is passed in the url, so if a browser window sends a request including the session id of another window then it will share that session. On the other hand if it sends a request with no session id in the url then a new session will get created.
0
 
suprapto45Author Commented:
Okay,

I read additional materials. Well there are three techniques you can do to store your session info i.e. URL Rewriting, Cookies and Hidden Form.

URL Rewriting is excellent if user disabled cookie and bad if you use bookmark in your IE.
Cookie is good but limited to only 4K in size.
Hidden Form is the least famous method to be used.

Okay, I can understand that :). Thx to you all.
Now, I just do not understand the concept of session in the browser. I am sorry if I am repeating the question that you all have answered but I can't understand it.

1. In one PC, there is one cookie directory to be shared by all browsers. The cookie directory may contain several session uniquely identified by its session ID (Not sure about it).
2. If the cookie is disabled, we can use URL rewriting to identify the session ID in the URL itself.

Are my statements right?

Question
----------
1. What happen if you use File->New in IE, will the new instance of IE have the same session ID with the previous one where the user execute File->New?
2. If I am opening the new IE NOT from File->New, will it create the new instance of session ID (if necessary)?

Thanks

Regards
Dave
0
 
suprapto45Author Commented:
Thx objects.

Things are better for me. I will accept the answer in the next few hours....lunch time :)

Regards
Dave
0
 
objectsCommented:
> lunch time :)

u must be close, what part of the world?
0
 
suprapto45Author Commented:
Hi objects,

I am in Singapore :). However, today I am going to have lunch quite early haha :).

Regards
Dave
0
 
suprapto45Author Commented:
Hi,

Thanks object...I decided to split the points :). Anyway, which part of Australia you are from?

Regards
Dave
0
 
suprapto45Author Commented:
Anyone is feeling unfair :) ? Just let me know
Regards
Dave
0
 
objectsCommented:
I'm in Sydney :)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.