Maintaining Unique Sessions in JSP

A web application developed a decade ago. Currently running in Weblogic 8.1 server. Through browser if I logged as USER 1, able to navigate end-end. Some screens has hyperlink menus. Onclick will bring new pop-up window with data pertaining to USER 1. Inside the pop-window another jsp page will be loaded.

Issue is without closing the existing browser and its pop-up windows. If I loggin as USER 2 in another browser, and click any hyper link related items on the screens. New pop-up window is NOT happening instead refreshing the existing pop-up windows with USER 2 data.

Requirement is USER 1 navigation and USER 2 navigation should be independant.

Jsp page includes Java Script and Scriptlet codes. Objects providing User related data are serialized.

Articulate the problem as much as possible. Please provide me your valuable suggestions.

Originally posted by Narasimhan Sethuraman:
...
Articulate the problem as much as possible. ...

I think that's your job.

JSP/servlets weren't meant to support multiple sessions in the same browser instance so, if you need to support this, you'll probably need to write your own session handling mechanism with querystring parameters or something.

Narasimhan,
Welcome to JavaRanch!

Can you expand on the reason behind the requirement that two different users can be logged in from the same browser? This seems like something that would never happen in real life.

Will different users browse in the same browser? Which is not practically impossible...So don't worry about that....If you still need to fix it. Get in the way Ben suggests..

Thanks for the responses. First I would like to clarify all that new instances of the browser will be used for each USER Id. Logging to the application happens from the same machine. Further the need for this approach is for maker & Checker concept. In few remote locations both maker & checker are single person. Instead of logging from two different machine. User wants to perform both maker and checker options on the same machine with different User loggins.

Please help me how sessions need to be handled to fix the above issue.

Originally posted by Narasimhan Sethuraman:
Instead of logging from two different machine. User wants to perform both maker and checker options on the same machine with different User loggins.

Why can't the user logout between the two roles? Since the user wants to be a different id, I would think he/she would disconnect with the current session first. That is how websites work it - one id at a time per browser.

New pop-up window is NOT happening .

Actually when you start new session it completly independant from another session until you follow session handling mechanism.
In your case new pouup is not opening is browser releted issue.
try in IE7 it might work.
If not by javascript you can delete previous cokkies that might preventing opening of jsp page.

ALL THE BEST

Hi Santosh Kolekar welcome to Javaranch,

If not by javascript you can delete previous cokkies that might preventing opening of jsp page.

deleting all cookies will cause both users to log out.

Anyone help me how sessions will be handle in Jsp/Servlet by binding with relevant data objects to solve the existing problem

Anyone help me how sessions will be handle in Jsp/Servlet by binding with relevant data objects to solve the existing problem

As stated by Ben and Jeanne and others above, this problem is not at all with session management.
The problem is with the particular requirement and not really. with the browser.

One possible solution is using different browsers like Firefox for maker and IE or Netscape or Opera,etc for checker.


Hope this helps

Initially all thought logging through two different ID's on the same instance of the browser. It is not the case as I mentioned in my previous mail. I am looking how to handle sessions in Jsp/Servlet and binding the relevant data objects with the respective session id's. Hope that will resolve the issue.

Originally posted by Narasimhan Sethuraman:
It is not the case as I mentioned in my previous mail. I am looking how to handle sessions in Jsp/Servlet and binding the relevant data objects with the respective session id's.

Sessions are tied to the browser though. Any server will handle sessions by linking a browser session to the JSP/Servlet session. People keep replying with the browser discussion because it is relevant to your problem. You don't handle sessions explicitly by writing code to handle multiple sessions at the same time.

There are few questions in this thread (including my own) asking about your true goals. Answering those will help you get a useful reply. Repeating the same words doesn't help understand it better.

Narasimhan,

As far as i can make out this seems to be problem with html anchor element.
Can you verify whether property [ target="_blank" ] is present in your
existing anchor tags. Since this will ensure a separate browser window will be
opened whenever this link is clicked.

Can you verify whether property [ target="_blank" ] is present in your
existing anchor tags.

That has no bearing at all on whether the session is shared with the window or not.

Jeanne Boyarsky & others thanks for your response. As mentioned in my first mail that it is a decade old application working fine. One of our customer has requested the way I explained the problem (Separate window for each USER ID loggin). Need your help to handle multiple sessions explicitly.

Originally posted by Narasimhan Sethuraman:
As mentioned in my first mail that it is a decade old application working fine.

It's not working fine if it doesn't meet all your requirements. You are going to have to change something for this request - either convince the user that this is a bad idea or write an ugly insecure hack.

One of our customer has requested the way I explained the problem (Separate window for each USER ID loggin).

Have you tried explaining the customer that a user id should logout before another logs in from the same computer? The customer requested an implementation here not a goal. There may be other ways of accomplishing a goal. An example of a goal is "I want to be able to test a multiple step operation with different roles without logging in for each step." (I don't think this is a good goal, but at least it's a goal.) If the customer needs two user ids logged in from the same machine at the same time, I would insist on knowing why as a developer before implementing it. That is the responsible thing to do. It is a skill that is important to have as an analyst. It is also your responsibility to make sure the customer understands the security implications of such a request.

Need your help to handle multiple sessions explicitly.

You would have to write a hack to pass the information with each request and look in a part of the HttpSession for the "correct" user. I highly recommend against doing this. It's not secure (someone could tamper with the URL and access a different user's session.) It doesn't make sense to have different user ids in different windows and it creates code that is difficult to maintain/understand. Do you want someone posting here in five years wondering what possessed someone to write code like this? Or worse, have a security breach.

I also want to give you an example of a customer request we got - the user wanted a box around something. This was a "mandatory" request from our user's manager. I think the screen looked better without the box (to be consistent with other screens) and due to our existing implementation model, the box was a large effort. I e-mailed the user a screenshot of the real screen implemented without the box and a level of effort for the box. He said not to do the box. His real goal was that a certain data point be clear. Which it was without the box. Seeing the example showed the user there are other ways to meet a goal. And the goal was more important than the requested implementation. My point here is that you should talk to the user about goals and not just the "unique sessions" requirement.

Jeanne Boyarsky thanks for your detailed response. Your points are valid. Customer choice is either you allow completely or don't allow the second user id login on the same machine. How to prevent second user id login and provide some meaning full msg to the user.

I would not prevent the second login. I'd just put up a warning that logging in would automatically log out the previous user.

Originally posted by Narasimhan Sethuraman:
Customer choice is either you allow completely or don't allow the second user id login on the same machine. How to prevent second user id login and provide some meaning full msg to the user.

This is good. This means you don't need a unique session. I second Bear's suggestion to logout the first user when the user tries to log in with a different id.