I'm running into session problems where a user is using IE, goes to my site with a fresh browser, then right clicks a link on there and opens it in a new window. This creates two browsers with the same session id.
This user now can enjoy all kinds of weird mysterious errors as he navigates to different parts of the site because the two browsers may store different values with the same key value and since they have the same session id, they directly interfere with each other.
Does anyone know how I might handle such a problem? (My site is stateful so I can't just switch to a stateless model.)
I am not sure how valid this solution would be for you but in my application, basically, if a user has a browser open ( we track that by storing user-ids and session ids in the database), we kick him out if he opens another browser. I guess, that's how my application uses session variables without any thought of thread safety for them. Anyway, I am not sure if this would be a viable solution in your case but that is definetely one of the options. [ February 16, 2005: Message edited by: Ritu varada ]
Ritu, thanks for the suggestion. Of course I'd prefer to let the user do what they want, but I'll consider anything that eliminates the problem. How do you detect if a user has opened a new broswer window? It doesn't even go through the login process, so was wondering how you could detect it.
User name and session id would be identical. Are you also tracking the particular page the user is on -(if he was on two different pages at the same time you'd know he opened a window) or is it easier than that?
...if he was on two different pages at the same time you'd know he opened a window...
If you're using MVC, the controller could throw an exception if an invalid page flow was detected(i.e. the request says "I'm on page A" when the controller state says it's should be page C). This could disable one browser or the other.
What we have is a very primitive way of doing it. Every time a user logs in, we load a navigation frame, which lets the user do his things. So, when he opens another browser, the browser will essentially try to load the nav. In the nav, we check whether the user is coming from the login page. If he is not, we kick him out saying that he has duplicate browsers. Additionally, once the nav is loaded, in our main code, we check whether the user id entered has a valid session(as I told in the previous post). I would love to get ideas to improve this!!!
Rovas, thanks for your reply. The site navigation is pretty open, almost a matrix style navigation. There is a left hand navigation menu and plenty of links on various pages. So I don't see any potential in throwing an invalid page flow exceptions for my site - except when I'm in a linear progression and what I need from session is not there as in the case of previous bookmark. This has merit in catching bad flows from two or more browsers, but if the flow is not a bad one, I can still be in trouble with different values for the same session key. On browser X, he might now be on page A with color="blue" in session and on browser Y he might be on page A with color="brown" in session. In actuality, there is only one color in session for both browser X and Y and it is either blue or brown depending on which was saved last.
One thing that did come to mind, was if I was able to replace all links with buttons. That could eliminate multiple browsers opening through the links, but I'd still have the problem if they did a File->Open->New Window.