[prev in list] [next in list] [prev in thread] [next in thread] 

List:       tomcat-user
Subject:    Re: how to invalidate old sessions when new user access appl on same
From:       Christopher Schultz <chris () christopherschultz ! net>
Date:       2008-12-29 20:47:15
Message-ID: 49593753.5070205 () christopherschultz ! net
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Nicolas,

Nicolas Romantzoff wrote:
> Session is binded to a connection (browser session) basically, not a
> machine.
> If you open a second browser (or a second tab) you should get a different
> session-id.

That's debatable, and depends on application requirements.

> Don't use JSESSIONID in url parameters, but in session cookie (unless you
> need to cross protocols like http <-> https)

Actually, this is exactly backward: if you use JSESSIONID cookies, then
the browser will always have the same user "logged-in" no matter how
many windows you open. "Old" windows will suddenly inherit the
credentials of the "new" windows, etc.

If you want to have able to have multiple windows opened from the same
web browser on the same machine with different logins, you need to
DISABLE the use of cookies. This is possible by setting cookies="false"
in your <Context> element for your webapp.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAklZN1MACgkQ9CaO5/Lv0PD6qwCgpj6xpGROai2yGYqomFtcvbZj
gEYAn024g6AaaBeaUnwBzgvo+wJRVhu7
=+Q2F
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

[prev in list] [next in list] [prev in thread] [next in thread]