How to differ sessions in browser-tabs?

Question

In a web-application implemented in java using JSP and Servlets; if I store information in the user session, this information is shared from all the tabs from the same brows

Answer 1

If it's because each tab will be running a different flow in your application, and mixing both flows causes problems, then it's better to "Regionalize" your session objects, so that each flow will use a different region of the session

This region can be implemented as simply as having different prefixes for each flow, or session object will hold multiple maps (one for each flow), and you use those maps instead of session attributes, the best though would be to extend your session class and use it instead.

Answer 2

I'll be honest here. . .everything above may or may not be true, but it all seems WAY too complicated, or doesn't address knowing what tab is being used server side.

Sometimes we need to apply Occam's razor.

Here's the Occam's approach: (no, I'm not Occam, he died in 1347)

1) assign a browser unique id to your page on load. . . if and only if the window doesn't have an id yet (so use a prefix and a detection)

2) on every page you have (use a global file or something) simply put code in place to detect the focus event and/or mouseover event. (I'll use jquery for this part, for ease of code writing)

3) in your focus (and/or mouseover) function, set a cookie with the window.name in it

4) read that cookie value from your server side when you need to read/write tab specific data.

Client side:

//Events 
$(window).ready(function() {generateWindowID()});
$(window).focus(function() {setAppId()});
$(window).mouseover(function() {setAppId()});


function generateWindowID()
{
    //first see if the name is already set, if not, set it.
    if (se_appframe().name.indexOf("SEAppId") == -1){
            "window.name = 'SEAppId' + (new Date()).getTime()
    }
    setAppId()
}

function setAppId()
{
    //generate the cookie
    strCookie = 'seAppId=' + se_appframe().name + ';';
    strCookie += ' path=/';

    if (window.location.protocol.toLowerCase() == 'https:'){
        strCookie += ' secure;';
    }

    document.cookie = strCookie;
}

server side (C# - for example purposes)

//variable name 
string varname = "";
HttpCookie aCookie = Request.Cookies["seAppId"];
if(aCookie != null) {
     varname  = Request.Cookies["seAppId"].Value + "_";
}
varname += "_mySessionVariable";

//write session data 
Session[varname] = "ABC123";

//readsession data 
String myVariable = Session[varname];

Done.

Answer 3

Note: The solution here needs to be done at application design stage. It would be difficult to engineer this in later.

Use a hidden field to pass around the session identifier.

For this to work each page must include a form:

<form method="post" action="/handler">

  <input type="hidden" name="sessionId" value="123456890123456890ABCDEF01" />
  <input type="hidden" name="action" value="" />

</form>

Every action on your side, including navigation, POSTs the form back (setting the action as appropriate). For "unsafe" requests, you could include another parameter, say containing a JSON value of the data to be submitted:

<input type="hidden" name="action" value="completeCheckout" />
<input type="hidden" name="data" value='{ "cardNumber" : "4111111111111111", ... ' />

As there are no cookies, each tab will be independent and will have no knowledge of other sessions in the same browser.

Lots of advantages, particularly when it comes to security:

• No reliance on JavaScript or HTML5.
• Inherently protects against CSRF.
• No reliance on cookies, so protects against POODLE.
• Not vulnerable to session fixation.
• Can prevent back button use, which is desirable when you want users to follow a set path through your site (which means logic bugs that can sometimes be attacked by out-of-order requests, can be prevented).

Some disadvantages:

• Back button functionality may be desired.
• Not very effective with caching as every action is a POST.

Further information here.

Answer 4

you will need to do

1- store a cookie for accounts list

2- optional store a cookie for default one

3- store for each account with it's index like acc1, acc2

4- put in the url something represent the index of accounts and if not you will select the default one like google mail domain.com/0/some-url >> 0 here represent the index of account also you may need to know how to use urlwrite

5- when select a cookie, select it according to your urlpath represent the account index

Regards

Answer 5

I think what you probably want is to maintain navigation state across tabs and not specifically creating a single session per tab. This is exactly what the Seam framework achieves with their Conversation scope/context. Their implementation relies on the fact that a conversation id is propagated with each request and creates the notion of a conversation on the server side, which is something that lies between a session and a request. It allows for navigation flow control and state management.

Although that's mainly aimed at JSF, have a look and check if that's something where you can take some ideas from: http://docs.jboss.org/seam/latest/reference/en-US/html_single/#d0e3620

Answer 6

You can use link-rewriting to append a unique identifier to all your URLs when starting at a single page (e.g. index.html/jsp/whatever). The browser will use the same cookies for all your tabs so everything you put in cookies will not be unique.