How to differ sessions in browser-tabs?

后端 未结 21 1403
情深已故
情深已故 2020-11-22 08:48

In a web-application implemented in java using JSP and Servlets; if I store information in the user session, this information is shared from all the tabs from the same brows

相关标签:
21条回答
  • 2020-11-22 09:03

    I've been reading this post because I thought I wanted to do the same thing. I have a similar situation for an application I'm working on. And really it's a matter of testing more than practicality.

    After reading these answers, especially the one given by Michael Borgwardt, I realized the work flow that needs to exist:

    1. If the user navigates to the login screen, check for an existing session. If one exists bypass the login screen and send them to the welcome screen.
    2. If the user (in my case) navigates to the enrollment screen, check for an existing session. If one exists, let the user know you're going to log that session out. If they agree, log out, and begin enrollment.

    This will solve the problem of user's seeing "another user's" data in their session. They aren't really seeing "another user's" data in their session, they're really seeing the data from the only session they have open. Clearly this causes for some interesting data as some operations overwrite some session data and not others so you have a combination of data in that single session.

    Now, to address the testing issue. The only viable approach would be to leverage Preprocessor Directives to determine if cookie-less sessions should be used. See, by building in a specific configuration for a specific environment I'm able to make some assumptions about the environment and what it's used for. This would allow me to technically have two users logged in at the same time and the tester could test multiple scenarios from the same browser session without ever logging out of any of those server sessions.

    However, this approach has some serious caveats. Not least of which is the fact that what the tester is testing is not what's going to run in production.

    So I think I've got to say, this is ultimately a bad idea.

    0 讨论(0)
  • 2020-11-22 09:04

    I've come up with a new solution, which has a tiny bit of overhead, but seems to be working so far as a prototype. One assumption is that you're in an honour system environment for logging in, although this could be adapted by rerequesting a password whenever you switch tabs.

    Use localStorage (or equivalent) and the HTML5 storage event to detect when a new browser tab has switched which user is active. When that happens, create a ghost overlay with a message saying you can't use the current window (or otherwise disable the window temporarily, you might not want it to be this conspicuous.) When the window regains focus, send an AJAX request logging the user back in.

    One caveat to this approach: you can't have any normal AJAX calls (i.e., ones that depend on your session) happen in a window that doesn't have the focus (e.g. if you had a call happening after a delay), unless you manually make an AJAX re-login call before that. So really all you need do is have your AJAX function check first to make sure localStorage.currently_logged_in_user_id === window.yourAppNameSpace.user_id, and if not, log in first via AJAX.

    Another is race conditions: if you can switch windows fast enough to confuse it, you may end up with a relogin1->relogin2->ajax1->ajax2 sequence, with ajax1 being made under the wrong session. Work around this by pushing login AJAX requests onto an array, and then onstorage and before issuing a new login request, abort all current requests.

    The last gotcha to look out for is window refreshes. If someone refreshes the window while you've got an AJAX login request active but not completed, it'll be refreshed in the name of the wrong person. In this case you can use the nonstandard beforeunload event to warn the user about the potential mixup and ask them to click Cancel, meanwhile reissuing an AJAX login request. Then the only way they can botch it is by clicking OK before the request completes (or by accidentally hitting enter/spacebar, because OK is--unfortunately for this case--the default.) There are other ways to handle this case, like detecting F5 and Ctrl+R/Alt+R presses, which will work in most cases but could be thwarted by user keyboard shortcut reconfiguration or alternative OS use. However, this is a bit of an edge case in reality, and the worst case scenarios are never that bad: in an honour system configuration, you'd be logged in as the wrong person (but you can make it obvious that this is the case by personalizing pages with colours, styles, prominently displayed names, etc.); in a password configuration, the onus is on the last person who entered their password to have logged out or shared their session, or if this person is actually the current user, then there's no breach.

    But in the end you have a one-user-per-tab application that (hopefully) just acts as it should, without having to necessarily set up profiles, use IE, or rewrite URLs. Make sure you make it obvious in each tab who is logged into that particular tab, though...

    0 讨论(0)
  • 2020-11-22 09:06

    In javascript, how can I uniquely identify one browser window from another which are under the same cookiedbased sessionId

    Essentially use window.name. If its not set, set it to a unique value and use it. It will be different across tabs that belong to same session.

    0 讨论(0)
  • 2020-11-22 09:06
    How to differ sessions in browser-tabs?
    

    The most straightforward way to differ sessions in browser tabs is to disallow your particular domain to set cookies. That way, you can have separate sessions from separate tabs. Say you disallow cookies from this domain: www.xyz.com. You open Tab 1, login and start browsing. Then you open Tab 2, and you can login either as a same user or a different one; either way, you will have a session separate from Tab 1. And so on.

    But of course this is possible when you have control over the client side. Otherwise, the solutions prescribed by the folks here should apply.

    0 讨论(0)
  • 2020-11-22 09:07

    I developed a solution to this problem recently using Cookies. Here is a link to my solution. I have also included sample code of the solution using ASP.NET, you should be able to adapt this to JSP or Servelets if you need.

    https://sites.google.com/site/sarittechworld/track-client-windows

    0 讨论(0)
  • 2020-11-22 09:10

    Storing the timeStamp in window.sessionStorage if it is not already set. This will give a unique value for each tab(even if the URLs are same)

    http://www.javascriptkit.com/javatutors/domstorage.shtml

    https://developer.mozilla.org/en-US/docs/Web/Guide/API/DOM/Storage

    Hope this helps.

    0 讨论(0)
提交回复
热议问题