Preventing multiple browser sessions on the same server session

Question

I\'m sure we\'ve all worked on, or are aware of web applications (especially in the enterprise) that have tightly bound themselves to the server session. In these cases, it

Answer 1

It is too late in the day. But you may wish to consider the option of generating a random string at the server and sending this to the frontend in a hidden form. Maintain the last random key for the session in the session object of the user. Everytime the user makes a request to the server send this random key back. Check the random key from the browser with the one stored in the session. If they do not match then you can tell the user that they should use the other window. Not very user friendly, but would work.

Answer 2

A very simple solution that you may or may not be able to use is have a single page (ie, a single URL such as home.whatever) for the ajax application. If they request that same page a second time and there is already a valid session, then you know they opened a new tab or a new window. Note that you wouldn't be able to distinguish this from a refresh, however.

Your solution is way too complicated.

Answer 3

My major concern would be whether this gets compromised when there's network latency. That is, any trouble would probably come from issues for which ping is generally used for in the first place.

Answer 4

I worked on a single window web application many years ago (pre-dating "Web 2.0"). We simply launched a new window without any toolbars (no back button, etc) and disabled right-clicking. We took care to create a very usable in-session navigation system. This was enough to prevent almost all accidental duplicate browsing. This was an intranet application; obviously I'd never recommend doing anything like this on a general website.

Personally, I don't like the sound of the ping detector. I would just make sure that no data corruption can ever possibly occur. Multiple browser sessions is not a valid excuse for that... although I understand how it can be problematic. But if you want to add a ping detector on top of perfectly working code, then it might serve as a helpful reminder to the user.

You could add a unique token to the end of every link. If the unique token is used more than once (e.g., opening a new window, bookmarking, back, forward), then the request could be denied. With proper tracking, you could ensure that it's never possible to get from one page to another without taking a valid path. This approach is more reliable than the ping (as it is controlled by the server), but could result in a very annoying user experience.

The short of it is: fix your application to not corrupt any data. I know that may not be a trivial thing, and I don't mean to make light of it. Implementing pings and such may help make the problem disappear, but I guarantee you that if something can go wrong, it eventually will. :-)

Answer 5

What browser do the users use?
We solved a data corruption solution when IE8 came out, and provided the NoMerge option.

Answer 6

If you really are in a bind and cannot fix the application to sanely handle multiple browser instances sharing the same session, then yes, this is a sound approach.

For what it is worth, I have used the exact same concept to enforce concurrent usage license constraints - so it WILL detect multiple users sharing the same "key", which in your case is the session.

I would modify your approach only slightly, and have the ping message contain the date/time of the client - so that you can avoid dealing with network latency at all in your calculations.