Different brower instances use same HttpRequest session

J

Jim

I have a web application that keep some basic information, such as a user
ID, in attributes on the Session object. This information is used by the
java server pages and java servlets of the application to display the
correct information on the dynamic pages.

The scenario:
1. Open a browser, login as user A, the data for A is displayed.
2. Open a 2nd browser window, login as user B, data for B is displayed.
3. Refresh the 1st browser window. The displayed data if for user B!
This make it really hard to do testing on the app.

Looking at some debug output, I see the session ID is the same regardless of
which browser instance is asking for pages.

This only happens with Netscape; with IE, the sessions are different. The
web server
is Tomcat.

Can anyone 1) explain this to me and 2) offer a way around it?

Thanks in advance.

Jim Cant
 
B

Brooks Hagenow

Jim said:
I have a web application that keep some basic information, such as a user
ID, in attributes on the Session object. This information is used by the
java server pages and java servlets of the application to display the
correct information on the dynamic pages.

The scenario:
1. Open a browser, login as user A, the data for A is displayed.
2. Open a 2nd browser window, login as user B, data for B is displayed.
3. Refresh the 1st browser window. The displayed data if for user B!
This make it really hard to do testing on the app.

Looking at some debug output, I see the session ID is the same regardless of
which browser instance is asking for pages.

This only happens with Netscape; with IE, the sessions are different. The
web server
is Tomcat.

Can anyone 1) explain this to me and 2) offer a way around it?

Thanks in advance.

Jim Cant

I don't have a way around it since I don't use or worry about Netscape. But
I think that is just the way Netscape is. IE creates a new session ID if
you open the browser via the start menu, double clicking the icon no the
desktop, etc. But if you open a new window from an existing IE window by
hitting CTRL + N or selecting new window from the file menu you will have
the same result as you are having with Netscape.

I think what Netscape is doing is seeing that it is already open and instead
of opening up a new browser session, it is just giving you a new window of
the existing session.
 
M

Michael Borgwardt

Jim said:
The scenario:
1. Open a browser, login as user A, the data for A is displayed.
2. Open a 2nd browser window, login as user B, data for B is displayed.
3. Refresh the 1st browser window. The displayed data if for user B!
This make it really hard to do testing on the app.

Looking at some debug output, I see the session ID is the same regardless of
which browser instance is asking for pages.

This only happens with Netscape; with IE, the sessions are different. The
web server
is Tomcat.

Can anyone 1) explain this to me

Session identification can happen either through cookies or through URL rewriting,
which is used if cookies are disabled. Cookies are on a per-browser basis and persist
even when the user goes to another website and then returns, while URL rewriting works
on a per-window basis, with the session being lost when the user goes to a different
website.

Sounds to me like Netscape has cookies enabled while IE hasn't.
and 2) offer a way around it?

Generally, you shouldn't care.
 
J

Jim

Thanks for the help; it led me to a solution (see below)
Michael Borgwardt said:
Session identification can happen either through cookies or through URL rewriting,
which is used if cookies are disabled. Cookies are on a per-browser basis and persist
even when the user goes to another website and then returns, while URL rewriting works
on a per-window basis, with the session being lost when the user goes to a different
website.
Netscape is indeed saving a cookie with the session id in it.
Sounds to me like Netscape has cookies enabled while IE hasn't.
However, IE does not seem to do this; if I turn on prompting when cookies
are about
to be saved, IE doesn't ask to save a cookie when it visits the website.>
Generally, you shouldn't care.
Maybe in general in need not care but I don't see why I should not.
In this particular case, I did care. If I could not have two different users
working
at the same time; I would have had to close
and reopen the browser for every user action.

The solution was to turn cookies off for my web site in Netscape (which
works
since the site does not use cookies itself. I suppose I could rewrite the
session cookie
if needed.
 
J

Jim

Opps, spoke to soon.

FYI. My solution of turning off cookies for a web site to prevent all
instances of Netscape
from being in the same session isn't workable. Seems that whenever a new
page is loaded
(at least when we go to a servlet to get the next page) a new session gets
created. This means
one cannot save 'state' by setting session attributes.

Phooey.
 
M

Michael Borgwardt

Jim said:
Opps, spoke to soon.

FYI. My solution of turning off cookies for a web site to prevent all
instances of Netscape
from being in the same session isn't workable. Seems that whenever a new
page is loaded
(at least when we go to a servlet to get the next page) a new session gets
created. This means
one cannot save 'state' by setting session attributes.

No, it just means you didn't use URL rewriting correctly. For it to work, all
URLs within the application must carry the session ID, which is done with the
encodeUrl() method in the HttpServletResponse interface.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

Forum statistics

Threads
473,744
Messages
2,569,482
Members
44,900
Latest member
Nell636132

Latest Threads

Top