File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Servlets and the fly likes URGENT ! user privelidges getting swapped when opening 2 sessions in the same machine Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Soft Skills this week in the Jobs Discussion forum!
JavaRanch » Java Forums » Java » Servlets
Bookmark "URGENT ! user privelidges getting swapped when opening 2 sessions in the same machine" Watch "URGENT ! user privelidges getting swapped when opening 2 sessions in the same machine" New topic
Author

URGENT ! user privelidges getting swapped when opening 2 sessions in the same machine

Ashutosh Uprety
Ranch Hand

Joined: Nov 30, 2000
Posts: 39
I have developed an application using JSP in which there are 2 types of users - ADMIN and NORMAL.
If I open 2 instances of the application with 1 user as ADMIN and other as NORMAL, then both applications should work independently with each one having its own previledge.
If I test this on 2 different machines it works fine. But if I open the 2 instances on the same machine using the same browser(both netscape or both IE), then if I click on any link(for either user), the ADMIN user next sees the screen belonging to NORMAL user if NORMAL user is the latest to login.
Similarly, if ADMIN user is the latest to login, then the NORMAL user sees ADMIN related screen on clicking any link.
How should I remove this error.
My restrictions are
1. I cannot force the user to use cookies.
2. I cannot force the user not to use the same machine for 2 login IDs.
3. I am using Apache+Tomcat with SSL and Netscape 4.7(and above) and IE5.5 with SSL patch.
Maky Chopra
Ranch Hand

Joined: Apr 11, 2001
Posts: 149
I think you are storing the users in sessions and then trying to access the pages from two browsers from the same machine right ?
It looks like you are opening your browser from the file ->new window.. When you open browsers this way, your ID is the same, causing your application to use the sessions it has already created for ADMIN with those of USER..
Open a browser the old way and you should be fine.. Let us know how it goes.
Andrew Shafer
Ranch Hand

Joined: Jan 19, 2001
Posts: 338

I think the problem is your session objects are writing cookies, which because of the way browsers set and return cookies, will only have one valid cookie for the request at a time.
I believe the easiest way to fix this would be use URL rewriting for each request to manage the sessions. Or you could maybe come up with a scheme that maintains the privilges on each request, instead of just checking them in the session.
Just curious, would the user need to be logged in as NORMAL and ADMIN? At the same time? Or are you worried about more than one person using the same machine?
Andrew


!_I_Know_Kung_Fu_!
Ashutosh Uprety
Ranch Hand

Joined: Nov 30, 2000
Posts: 39
Thanks Mak & Andrew.
To Andrew
----------
I am already doing URL rewriting and it has nothing to do with it .
Secondly, the user is allowed log in both as NORMAL as well as ADMIN because he can play 2 different roles. So he may use the same m/c and try to login as both users at the same time.
To Mak
-------
You are correct in your 1st sentence.
Also the user can login either by doing File->new (which is the same as CTRL+N).Or he can also login by clicking the netscape icon on the desktop twice. But here there is a catch.
There is a difference in the way IE and Netscape work.
In Netscape, whatever you do i.e. CTRL+N or File->New or click 2 times on the desktop icon, internally the process launched by Netscape is only one ... both the windows work internally as a single thread.
In IE, if you say CTRL+N or File->New , it creates the 2nd window as a child window and shares the browser instances. BUT BUT BUT if you open 2 new windows by clicking on the desktop icon twice then they are 2 totally different and separate processes and each one is mutually exclusive to the other.
Hence in netscape I cant do anything at all, But in IE if the user uses the desktop icons to launch windows then there is absolutely no problem and user can log on any no. of times.
I have modified my code to restrict the user from entering the application a 2nd time from the same m/c, but this is not acceptable in realtime situation. If u or anyone has any other solution then pls do tell me .
Thanks
Andrew Shafer
Ranch Hand

Joined: Jan 19, 2001
Posts: 338

So when the user makes a request, the URL is appended with the Session Id numbers as if it was requested with a GET?
You can see the ID # in the URL? And the server can't keep the sessions straight?
Maybe I'm the one that is confused, but it seems that if you used URL rewritting and append the session id to the URL with each request then the server should be able to keep the sessions straight, even if two windows are spawned from the same thread.
Any comments on why this would or would not be true are welcome
maha anna
Ranch Hand

Joined: Jan 31, 2000
Posts: 1467
Ashutosh,
I created your situation in my appln which has 2 levels of login admin and others. All the experiments you did and the results you got are exactly right and that's how NS and IE behave.
The missing point is eventhough we URL-rewrite, the url-rewriting mechanism will not append sessionId if the cookies are enabled in browser. First preference is cookie method only. If the cookie is diabled only the url-rewriting will come for rescue by appending the sessionId through URLs.
To test this, I disabled cookies purposly in Netscape this time and opened new browser using File-New method and able to login as different user level. Previosly when the cookies are enabled ,I was not able to re-login as same/diff user level. Because my login servlet will first check if the user has already logged in by checking a user specific session object in user's session.
But this second time I am able to login either as admin/user level. Tried to disable cookies in IE 5.0. Couldn't figure out where to disable. In Toos-InternetOPtions-Advanced- No cookies enable/disable setting I am sure I have done this disabling before many times. May be I am impatient now!
You can make this test in IE also and see.
regds
maha anna
maha anna
Ranch Hand

Joined: Jan 31, 2000
Posts: 1467
Just to make sure if my memory and understanding was right , went to Sun's tutorial and grabbed this info.
Here is the reference from Sun. http://java.sun.com/docs/books/tutorial/servlets/client-state/session-tracking.html

The last paragraph says url-rewriting is really done only when necessary which means when the browser doesn't accept cookies.


[This message has been edited by maha anna (edited April 13, 2001).]
Andrew Shafer
Ranch Hand

Joined: Jan 19, 2001
Posts: 338

I guess I should have been more specific in my original post.

Using the response.encodeURL() method does NOT mean you are rewritting the URL. The session will be tracked with COOKIES, unless cookies are disabled and only then will the session Id be appended to the URL. Obviously, I was unable to communicate this with my original response.
If you are explicitly rewriting the URL the application should have no problem keeping the requests straight.
The biggest lesson to be learned from this: encodeURL() != URL rewritting
Ashutosh Uprety
Ranch Hand

Joined: Nov 30, 2000
Posts: 39
Thats fine andrew ... and i've already tested things with URL encoding/rewriting ...
The problem still seems to be at the browser level and not at application level.
If you want you can try out urself. you will find that urlencoding/rewriting/cookies doesnt help anyway. The browser must be launched as a new process everytime, then only will the server maintain individual sessions, otherwise the previous session will be overridden by the new session and this is exactly what is happening.In fact netscape itself says that its browser is not launched as a separate process everytime.
Andrew Shafer
Ranch Hand

Joined: Jan 19, 2001
Posts: 338

How about you show the code you are using to do your URL rewritting?
As long as the correct Session_id is passed to the server with the request, the server should be able to keep the sessions straight, regardless of how the browser is opened or what thread, etc.
Did you read Maha Anna's post? The application seemed to be able to keep the sessions straight when cookies were disabled, because now then the sessions were tracked by rewritting the URL instead of cookies, because that is the default method of tracking sessions. When you use .encodeURL() you are really setting cookies, unless they are disabled.
Try this, explicitly capture the value of the session_id, then store it as a hidden value in the generated HTML on each page and pass it along. Manage your own session tracking.
 
With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime.
 
subject: URGENT ! user privelidges getting swapped when opening 2 sessions in the same machine