Different browser means a different client from the same machine

Question

1. If I open a new Tab (or Window) of the same browser I am working on (say Firefox), then it would be considered as the same client by the server.

2. But, if

Answer 1

Technically, this should not be possible. The server identifies clients by setting a cookie on them, and browsers do not share their cookies (they only share them between tabs, that's why you see that different tabs are treated as the same client). You could try identifying by IP address, but then all the clients behind a proxy would erroneoulsy be identified as the same client. Any other way of uniquely identifying a client would involve getting information from the machine (something like the MAC address, for instance) and for security reasons browsers are not allowed to do this.

Answer 2

"If I open a new Tab (or Window) of the same browser I am working on (say Firefox)"

Your premise is not accurate.

If I use a different profile of the same browser (FireFox, or Chrome, etc), it would be considered a different session.

That is the idea - that I can have the privacy of not letting the server or web service see my other profiles. As the user, I will not ever let your app cross that line of inquiring into my other browsers or profiles. Moreover, FF, Chrome, Safari, IE, etc do not share the same storage schema for their cookies.

Of course, you could spend a lot of time, attempting to hack up a desktop app that would exchange cookies between the browsers - but that would be useless because

• how are you going to decrypt those cookies?
• are you willing to write the same app for all the operating systems
• then how are you going to convince me to trust you to let you install that cookie incursion app on my system?

Your time would be better spent on industry accepted and prevalent practices.

However, if your application has user login/authentication, then I would want your app to recognise me and my history no matter which PC, which profile, or which part of the world I am in.

Therefore, the answer to your question is - user authentication.

You should not deal with mucking around the server to recognise the same session id, across multiple PCs or browser "sessions". It gets to be wiry, hairy and kludgy.

Don't reinvent the wheel. Use OpenID or OAuth2.

OpenID-consumer is very simple to implement. Simple as it is, there is not much literature example on implementing openID. But Google has put up sufficient amount of helpful literature on OAuth.

Google Federated login/OAuth is also quite fun and easy to implement. Even with GWT.

The question remains - why do I want to complicate the matter with user authentication when all I want is to share a session across multiple "browser sessions". The reason is security. Even if it is an internal company application. Do you think your managers would want to know that anyone in the company could masquerade their sessions.

By the time you got deep into your project, you would realise there is no point trying to escape from the user authentication route. And there is no point whipping up your own secure session authentication framework.