| Author |
Is it possible to merge two session?
|
Yuriy Zilbergleyt
Ranch Hand
Joined: Dec 13, 2004
Posts: 429
|
|
Say a user logs in twice into a J2EE web app from two different browser instances, therefore creating two sessions. Is it possible to merge the sessions into one, so each browser instance receives the same session id?
Thank you,
Yuriy
|
 |
Gregg Bolinger
Ranch Hand
Joined: Jul 11, 2001
Posts: 15230
|
|
|
Why would you want to do that even if it is possible?
|
|
Yuriy Zilbergleyt
Ranch Hand
Joined: Dec 13, 2004
Posts: 429
|
|
In our application there might be a problem if the same user interacts with the system from multiple sessions. One solution could be to invalidate the older active session, if one exists, for a user who just logged in. But I think it would be better to just keep the older session active and use it for the new browser instance as well. That way the user can switch between the browsers and keep working.
I know that sessions can be stored in the ServletContext, probably in a map with the userid as the key, but I'm not sure how to tell the response and request objects to switch to a preexisting session. Request probably isn't necessary to switch, as the old session can be stored as an attribute and another attribute can tell servlets and jsps to use that session. Response however must be changed. Maybe manual fiddling with the headers, or could there be some function?
|
|
Yuriy Zilbergleyt
Ranch Hand
Joined: Dec 13, 2004
Posts: 429
|
|
|
Hmm, just read in Head First JSP & Servlets that JSESSIONID is a cookie. Can this cookie be manually overwritten from a servlet without the container messing with it later on?
|
|
Jeanne Boyarsky
internet detective
Marshal
Joined: May 26, 2003
Posts: 26168
|
|
Yuriy,
I wouldn't change the jsession id value. You could just copy over the relevant data to the new session and then invalidate the first one.
|
[Blog] [JavaRanch FAQ] [How To Ask Questions The Smart Way] [Book Promos]
Blogging on Certs: SCEA Part 1, Part 2 & 3, Core Spring 3, OCAJP, OCPJP beta, TOGAF part 1 and part 2
|
|
Jeroen Wenting
Ranch Hand
Joined: Oct 12, 2000
Posts: 5093
|
|
Would be so nice wouldn't it?
I log in from my machine to my bank's web interface. Someone else enters my account number and because I'm logged in the server merges the sessions and he can see whatever I do and sneak in transactions emptying my account into his own.
That's why sessions should never communicate!
|
42
|
|
Yuriy Zilbergleyt
Ranch Hand
Joined: Dec 13, 2004
Posts: 429
|
|
I wouldn't change the jsession id value. You could just copy over the relevant data to the new session and then invalidate the first one.
But assuming that I don't want to invalidate the old session, I can merge the two, right?
Would be so nice wouldn't it?
I log in from my machine to my bank's web interface. Someone else enters my account number and because I'm logged in the server merges the sessions and he can see whatever I do and sneak in transactions emptying my account into his own.
That's why sessions should never communicate!
A person entering from the other session would still have to log in using the username and password. It's only afterwards that the sessions would be merged.
[ March 25, 2005: Message edited by: Yuriy Zilbergleyt ]
|
|
Yuriy Zilbergleyt
Ranch Hand
Joined: Dec 13, 2004
Posts: 429
|
|
All right, after talking to my coworkers I have realized that merging session would not work for us because it would break our javascript references to different windows open under a session. Another problem came up though, which I will ask about in a different topic.
Thank you for your replies,
Yuriy
|
|
 |
|
|
subject: Is it possible to merge two session?
|
|
|
0
