This week's book giveaway is in the OCPJP forum.
We're giving away four copies of OCA/OCP Java SE 7 Programmer I & II Study Guide and have Kathy Sierra & Bert Bates on-line!
See this thread for details.
The moose likes JSP and the fly likes Handle session ID after deleting cookies Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of OCA/OCP Java SE 7 Programmer I & II Study Guide this week in the OCPJP forum!
JavaRanch » Java Forums » Java » JSP
Bookmark "Handle session ID after deleting cookies" Watch "Handle session ID after deleting cookies" New topic
Author

Handle session ID after deleting cookies

sravani gogineni
Ranch Hand

Joined: Feb 09, 2011
Posts: 33
Hi

Could anyone tell me how do we handle sessionID after cookies are deleted.
My session.getID() returns a unique ID and stored it in cookie.How do i track the older session here?
Please help me.

Thanks
Sravani
Shankar Tanikella
Ranch Hand

Joined: Jan 30, 2011
Posts: 329

related post for state and session tracking is here
What is meant by tracking the old session ID?

Have Fun with Java
little,little.. little by little makes a lot..
sravani gogineni
Ranch Hand

Joined: Feb 09, 2011
Posts: 33
I am trying to open multiple tabs in one session say Session 1 and page1, page2, page3.
If I logout of session1 from page 1 and delete the coookies and relogin to the same page(page 1) say session 2.
Now if i click on page2 the new sessionID (session 2) is obtained and this session 2 does not have any form data with respect to session1. So i want to redirect to login page when i click on page 2 and page3 if session1 is expired.
Shankar Tanikella
Ranch Hand

Joined: Jan 30, 2011
Posts: 329

are you implementing session tracking already in your application?
sravani gogineni
Ranch Hand

Joined: Feb 09, 2011
Posts: 33
Yes. Session is being tracked and stored in cookies but once cookies are deleted the session id is also deleted and there is no data available with respect to previous session. I want to redirect to the login page if the session is invalidated. but in this case the new session is obtained in the page 2.
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 61449
    
  67

Sounds like you can already detect when this situation occurs, so just redirect when you detect it.


[Asking smart questions] [Bear's FrontMan] [About Bear] [Books by Bear]
sravani gogineni
Ranch Hand

Joined: Feb 09, 2011
Posts: 33
Bear Bibeault wrote:Sounds like you can already detect when this situation occurs, so just redirect when you detect it.


i am unable to track the session when cookies are deleted. so my session is still active and trying to process the request and fails.
Stefan Evans
Bartender

Joined: Jul 06, 2005
Posts: 1018
Session tracking is done by issuing a "session cookie" to the browser. That cookie lasts until the browser is closed, or deliberately deleted.
All the tabs share the same "browser" session, and thus share the same cookie.

If you invalidate the session (by logging out) and then log in again, it will issue you a new session id, and a new cookie.
Other open tabs within the same browser get that same cookie, and 'lose' the old one.
There is no way to recall information about the 'old' sessionId unless you have manually kept track of it yourself.

In fact you can't even tell which request comes from which tab of the browser.

The only way I can think of to detect a change in the session id like this would be to send the sessionId that was present when the page was loaded as a request parameter when that page is submitted. Then compare the 'old' sessionId to the current one, and redirect somewhere if they are different. Logistically that would be difficult to ensure that every single request included the old session id.

Anyway why would you redirect to the login page? The user has already logged in on the first tab, and that login applies to the other browser tabs. If you login on another tab, you will lose the first tabs credentials.
If you want anything other than this "standard" functionality, you will have to implement your own session tracking mechanism.



sravani gogineni
Ranch Hand

Joined: Feb 09, 2011
Posts: 33
Stefan Evans wrote:Session tracking is done by issuing a "session cookie" to the browser. That cookie lasts until the browser is closed, or deliberately deleted.
All the tabs share the same "browser" session, and thus share the same cookie.

If you invalidate the session (by logging out) and then log in again, it will issue you a new session id, and a new cookie.
Other open tabs within the same browser get that same cookie, and 'lose' the old one.
There is no way to recall information about the 'old' sessionId unless you have manually kept track of it yourself.

In fact you can't even tell which request comes from which tab of the browser.

The only way I can think of to detect a change in the session id like this would be to send the sessionId that was present when the page was loaded as a request parameter when that page is submitted. Then compare the 'old' sessionId to the current one, and redirect somewhere if they are different. Logistically that would be difficult to ensure that every single request included the old session id.

Anyway why would you redirect to the login page? The user has already logged in on the first tab, and that login applies to the other browser tabs. If you login on another tab, you will lose the first tabs credentials.
If you want anything other than this "standard" functionality, you will have to implement your own session tracking mechanism.





Thank you so much for the explanation.
Could you please tell me how to detect a change in the session id and load as request parameter?
Stefan Evans
Bartender

Joined: Jul 06, 2005
Posts: 1018
The base of the idea is something like this on EVERY SINGLE PAGE


And then a servlet filter to intercept all requests which has logic something like:



The logistical difficulty (as I said) is putting the old_session_id so that it is sent with every request.
If you have a framework in use, you could modify it to add this information in automatically with every form/link, but even that wouldn't be guaranteed to catch everything.

However this kind of approach is the only way I can think of to detect a change in the session id in another tab.
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 61449
    
  67

Just check to see if the expected scoped variables are in the session or not. If they're not there, you need to log in again. Checking the session id isn't necessary, or am I missing something?
Stefan Evans
Bartender

Joined: Jul 06, 2005
Posts: 1018
I was reading the process in this way.

On Tab 1, Log in to your web app as User A.
Open a new tab on your browser to the same web app (Tab 2) still logged in as User A.
In Tab 1, log out as User A, log in as User B.

What is the state of Tab 2?
If we make a request from Tab 2, and look at the session id, and attributes what values will they be? For User A or User B?

From my understanding Tab 2 will be referencing User B, even though the page was originally loaded with User A.
Because tabbed browsing shares the same browser cookies, it will pick up the new server session id automatically.
And there is no way on Tab 2 to easily tell that something has changed - I don't think...
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 61449
    
  67

How realistic is the scenario where two people will sit at the same computer and log in within different tabs?

If it's a realistic concern, I'd consider using nonce values placed into the session over dicking with the session id. I'd also likely employ a filter.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Handle session ID after deleting cookies