File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Handle session ID after deleting cookies

 
sravani gogineni
Ranch Hand
Posts: 33
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi

Could anyone tell me how do we handle sessionID after cookies are deleted.
My session.getID() returns a unique ID and stored it in cookie.How do i track the older session here?
Please help me.

Thanks
Sravani
 
Shankar Tanikella
Ranch Hand
Posts: 329
Eclipse IDE Java Oracle
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
related post for state and session tracking is here
What is meant by tracking the old session ID?
 
sravani gogineni
Ranch Hand
Posts: 33
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I am trying to open multiple tabs in one session say Session 1 and page1, page2, page3.
If I logout of session1 from page 1 and delete the coookies and relogin to the same page(page 1) say session 2.
Now if i click on page2 the new sessionID (session 2) is obtained and this session 2 does not have any form data with respect to session1. So i want to redirect to login page when i click on page 2 and page3 if session1 is expired.
 
Shankar Tanikella
Ranch Hand
Posts: 329
Eclipse IDE Java Oracle
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
are you implementing session tracking already in your application?
 
sravani gogineni
Ranch Hand
Posts: 33
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Yes. Session is being tracked and stored in cookies but once cookies are deleted the session id is also deleted and there is no data available with respect to previous session. I want to redirect to the login page if the session is invalidated. but in this case the new session is obtained in the page 2.
 
Bear Bibeault
Author and ninkuma
Marshal
Pie
Posts: 64178
83
IntelliJ IDE Java jQuery Mac Mac OS X
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Sounds like you can already detect when this situation occurs, so just redirect when you detect it.
 
sravani gogineni
Ranch Hand
Posts: 33
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Bear Bibeault wrote:Sounds like you can already detect when this situation occurs, so just redirect when you detect it.


i am unable to track the session when cookies are deleted. so my session is still active and trying to process the request and fails.
 
Stefan Evans
Bartender
Posts: 1640
9
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Session tracking is done by issuing a "session cookie" to the browser. That cookie lasts until the browser is closed, or deliberately deleted.
All the tabs share the same "browser" session, and thus share the same cookie.

If you invalidate the session (by logging out) and then log in again, it will issue you a new session id, and a new cookie.
Other open tabs within the same browser get that same cookie, and 'lose' the old one.
There is no way to recall information about the 'old' sessionId unless you have manually kept track of it yourself.

In fact you can't even tell which request comes from which tab of the browser.

The only way I can think of to detect a change in the session id like this would be to send the sessionId that was present when the page was loaded as a request parameter when that page is submitted. Then compare the 'old' sessionId to the current one, and redirect somewhere if they are different. Logistically that would be difficult to ensure that every single request included the old session id.

Anyway why would you redirect to the login page? The user has already logged in on the first tab, and that login applies to the other browser tabs. If you login on another tab, you will lose the first tabs credentials.
If you want anything other than this "standard" functionality, you will have to implement your own session tracking mechanism.



 
sravani gogineni
Ranch Hand
Posts: 33
  • 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Stefan Evans wrote:Session tracking is done by issuing a "session cookie" to the browser. That cookie lasts until the browser is closed, or deliberately deleted.
All the tabs share the same "browser" session, and thus share the same cookie.

If you invalidate the session (by logging out) and then log in again, it will issue you a new session id, and a new cookie.
Other open tabs within the same browser get that same cookie, and 'lose' the old one.
There is no way to recall information about the 'old' sessionId unless you have manually kept track of it yourself.

In fact you can't even tell which request comes from which tab of the browser.

The only way I can think of to detect a change in the session id like this would be to send the sessionId that was present when the page was loaded as a request parameter when that page is submitted. Then compare the 'old' sessionId to the current one, and redirect somewhere if they are different. Logistically that would be difficult to ensure that every single request included the old session id.

Anyway why would you redirect to the login page? The user has already logged in on the first tab, and that login applies to the other browser tabs. If you login on another tab, you will lose the first tabs credentials.
If you want anything other than this "standard" functionality, you will have to implement your own session tracking mechanism.





Thank you so much for the explanation.
Could you please tell me how to detect a change in the session id and load as request parameter?
 
Stefan Evans
Bartender
Posts: 1640
9
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The base of the idea is something like this on EVERY SINGLE PAGE


And then a servlet filter to intercept all requests which has logic something like:



The logistical difficulty (as I said) is putting the old_session_id so that it is sent with every request.
If you have a framework in use, you could modify it to add this information in automatically with every form/link, but even that wouldn't be guaranteed to catch everything.

However this kind of approach is the only way I can think of to detect a change in the session id in another tab.
 
Bear Bibeault
Author and ninkuma
Marshal
Pie
Posts: 64178
83
IntelliJ IDE Java jQuery Mac Mac OS X
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Just check to see if the expected scoped variables are in the session or not. If they're not there, you need to log in again. Checking the session id isn't necessary, or am I missing something?
 
Stefan Evans
Bartender
Posts: 1640
9
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I was reading the process in this way.

On Tab 1, Log in to your web app as User A.
Open a new tab on your browser to the same web app (Tab 2) still logged in as User A.
In Tab 1, log out as User A, log in as User B.

What is the state of Tab 2?
If we make a request from Tab 2, and look at the session id, and attributes what values will they be? For User A or User B?

From my understanding Tab 2 will be referencing User B, even though the page was originally loaded with User A.
Because tabbed browsing shares the same browser cookies, it will pick up the new server session id automatically.
And there is no way on Tab 2 to easily tell that something has changed - I don't think...
 
Bear Bibeault
Author and ninkuma
Marshal
Pie
Posts: 64178
83
IntelliJ IDE Java jQuery Mac Mac OS X
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
How realistic is the scenario where two people will sit at the same computer and log in within different tabs?

If it's a realistic concern, I'd consider using nonce values placed into the session over dicking with the session id. I'd also likely employ a filter.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic