I was wondering if it ever would make sense to have two concurrent sessions in the same browser? There could be two types of cases with this:
1) A user opens a browser window and logs in as user A, starting session 1. Then he opens another browser window (in the same browser) where he logs in as user A, but starts a different session, session 2.
I know that this is often not possible in many browsers, as one session cookie is set for the entire browser. However, in some browsers, it is possible to have multiple sessions in that manner.
2) This is similar to 1, except that the second time the user logs in, he logs in as user B, starting session 2. So now you have a person logged in as two users in the same browser.
Finally, allowing these things doesn't seem like the best security practice and neither does it seem to be practical. What do others think?
First thing First as the your Assumption is wrong. First of all you have to understand that when Single website is accessed from browser have single session and its not possible to simultaneously run different session of same web Browser.
It seems you have wrongly understand the working of Private Browser. Private Session are not made not to share information cookies and data with other public session and vise versa also. As soon as you close the Private Session all the Cache, Cookie and other things are deleted for forever.
I have not seen any web browser supporting the Multiple session of browser.
But an alternative approach is available i.e you have to create different Web Browser Profiles which can help you as each Profile data is maintained separately and have no conflict with other sessions.
One possible scenario currently I am facing requires allowing multiple user sessions from the same browser and I have not been able to find a proper solution for it yet.
We are using Yii framework. Currently we have two kinds of users i.e customers and admins. Both login from the same login form and use same session name and variables to store session information. Only based on type column in user table(customer or admin), the user is taken to appropriate views. In one of admin views(pages), there is an option for admin to log in as any of the users and propagate through the user's view in an iframe. The problem is that when the admin open two tabs and logs in as two different users, the session information of one overwrites the other and we start getting session related issues.
Can anyone suggest me a proper way to handle these kind of issues. I have searched a lot on trying to handle this with multiple sessions, but have not been able to find a proper solution yet.
There's nothing to "provide support for" here. One browser cannot hold more than one session, since it only holds one unique cookie per site, regardless of window. If a browser actually has a mode in which it supports holding two separate identical cookies per site, then it's the same as if the user logged on from another browser or another machine. That certainly should work; i.e. you should not try to subvert that behavior. A double session inside the same browser is then just a specific instance of this multi-session behavior, nothing special.
Related
I am having troubles to understand the login flow and signup flow in PassportJS and ExpressJS.What I really wanted to do is test if different sessions are being created. So I opened up a server and open two windows both at login pages. and then I log in and a session is created, but it is created for only person i.e. one who enters last, in my sessions table there is always one entry. Is this the expected behavior or is this wrong? How can I test this behavior in real time i.e. logging in 20 users and see 20 entries in my sessions table?
it depends on how you are handling sessions, most likely cookie, in which case you may need to refresh the browser, if that doesn't work. You're cookie expire date may not be set properly or you may not be deserializing properly. Read this for reference: https://scotch.io/tutorials/easy-node-authentication-setup-and-local
I am stuck with a session handling problem for past few days.
I am working on an application where an user logs into his account and can register there details or change them. How to manage sessions in this case. I mean how can i access the attribute of a session in different action classes?
Also when i click on log out and after that i press the back button given in the browser it goes back to the previous page and user can change their details which should not happen. Please help !!
The back button "issue" is because you have not disabled page caching.
Sessions data is available in actions via the SessionAware interface.
Sessions are per-user (more or less, actually per-conversation, and how that's implemented varies somewhat across browser versions), not sure what you mean regarding concurrent users.
I am making a bookmarklet, which calls a Google App Engine app. The GAE app uses login information, which I want to store in bookmarklet, so when user first clicks bookmarklet,it asks for login info, but from next time onwards it automatically supplies it.
The difficulty of a bookmarklet directly storing data is that it can only store data in cookie or in localStore, both of which "belong" to whatever page it is currently on. That means it won't work again the next time you use it on a different page, and it also means the page you are on can access the data, which is generally very bad for security.
There are two basic ways your situation is generally handled. The two main ways are:
1.) The application used keeps the user logged in with a cookie. The login information is not stored in the cookie; only a session ID is. This is like when you return to many popular websites, you don't have to log in again. Very often these types of bookmarklets open a small popup for the user which contains a page from the app. If the user is not logged in, the app prompts the user to login first. The bookmarklet in fact knows nothing about being signed in or not.
2.) Each bookmarklet is custom created for each person. So my bookmarklet would be different than yours. The difference is simply that mine will contain my login info in the code, and yours will contain your login information in the code. In fact we would each have to login to the app first before we can get our own personalized bookmarklet.
Generally, option 1 is better and easier and more secure.
If I understand it correctly,this Might help you. http://ajaxian.com/archives/whats-in-a-windowname
It allows for storing data in windowname in JS. Allowing for access of up-to 2 MB of data (A lot more than cookies can hold) and I believe can be used across tabs...
I'm developing my web app with Spring MVC 2.5.6 and I need some help for multiple user sessions in it. The header of my app shows the logged user.
In my computer, I open two browsers (no tabs):
In the first one, I log in my app with user1 and get into. In the header, user1 appears.
In the second, I log in with user2 and go on. In the header, user2 appears.
Then, I switch to the first browser, submit an operation to the controller and when the app is showed again, in the header user2 appears, and it's wrong because I logged in with user1.
So, my questions are:
SecurityContextHolder.getContext().getAuthentication().getName() may not be the right way to get the logged user with many users, because it's singleton (isn't it?). How could I do this?
This wrong situation is also happening with session object, so user1 data stored in the session object (managed with request.getSession().setAttribute(...) and request.getSession.getAttribute(...)) is override with user2 data.
In this StackOverflow question, Handling Session ID with Spring, it's suggested that session ID would be managed to separate data. Should I manage manually each user data with session ID internally in my application? How could I get the session ID?
In general terms, my problem is with dealing with multiple users/sessions.
Any help would be very appreciated. Thanks in advance.
Best regards
In my computer, I open two browsers (no tabs):
In the first one, I log in my app with user1 and get into. In the header, user1 appears.
In the second, I log in with user2 and go on. In the header, user2 appears.
Then, I switch to the first browser, submit an operation to the controller and when the app is showed again, in the header user2 appears, and it's wrong because I logged in with user1.
With session as normally implemented, this is normal behavior if the client is running two windows or tabs of the same browser on the same machine, as they share the session.
If you open the app in IE and Firefox, they will not share a session, and things will work properly.
I don't believe there's a way to get the browser to stop sharing session among windows, so if you need them to act independently, you'll need to essentially create your own session mechanism, likely by using hidden fields or some such hack rather than the cookies or url-rewriting the normal mechanism uses.
It would be better to just accept the situation. Let the user know when they open the second window and connect to your app that they are already logged in, and don't allow another login.
This isn't easy to explain, but I'll try my best.
The issue has started happening in a site that was built some years ago using classic asp, the symptom is that the administrators log-in using a form and then an session variable is set, but suddendly when they request a new page they are prompted again to log-in.
This problem isn't specific to any browser, I've reproduced the problem with Firefox and IE8.
Using Fiddler I can see that suddenly the server sends a new Set-Cookie header, despite a previous session cookie being sent in the request.
From that moment, the server will switch between the two sessions randomly, none of the sessions seem expired, they preserve their own variables, but for the user it's useless because he might be asked to login and then the form data is processed in the already logged-in session.
What can I try to find out the problem?
The server is a shared hosting with IIS6, the hosting company isn't too friendly but the cost of moving everything to other place makes things stay as is.
Thanks.
Some further info:
Showing the machine name as suggested by Aaron D. always shows the same name, but I had stored the start time of the application in global.asa:
Sub Application_OnStart()
Application("Start") = now()
End Sub
And it turns out that when showing that info in a test page it does change as the detected session changes. So there are two servers (with the same name) or somehow it's running twice the application.
Is it possible?
I have a couple ideas but nothing definitive.
Are some requests over HTTPS and others over HTTP? Are the cookies set to only transfer over secure connections?
Are your requests alternating between a subdomain and the primary domain? Example, some requests go to www.foo.com and others to foo.com? The cookies may not be shared between the two unless you set the domain inside the cookie. This could also happen with multiple subdomains.
This one is a less common, but is the company hosting your site on multiple servers that are distributing the load? You could tell this by creating a page as specified here:
http://mentaljetsam.wordpress.com/2008/01/29/classic-asp-code-to-print-current-server-name/
If this turns out to be the case, the solution with be to change your session state model from "InProc" to use a shared resource such as a database.
Are you sure that it switches you between sessions and doesn't just expire your session away? It could be that your app is restarting (based on your edit) and this is killing your sessions, but the cached result makes it look like it's still valid. Can you try doing hard refreshes and/or check the results with an HTTP traffic watcher like Fiddler? That might give you a better clue about what requests are actually going across the wire.