Bear Bibeault wrote:Sounds like you can already detect when this situation occurs, so just redirect when you detect it.
Stefan Evans wrote:Session tracking is done by issuing a "session cookie" to the browser. That cookie lasts until the browser is closed, or deliberately deleted.
All the tabs share the same "browser" session, and thus share the same cookie.
If you invalidate the session (by logging out) and then log in again, it will issue you a new session id, and a new cookie.
Other open tabs within the same browser get that same cookie, and 'lose' the old one.
There is no way to recall information about the 'old' sessionId unless you have manually kept track of it yourself.
In fact you can't even tell which request comes from which tab of the browser.
The only way I can think of to detect a change in the session id like this would be to send the sessionId that was present when the page was loaded as a request parameter when that page is submitted. Then compare the 'old' sessionId to the current one, and redirect somewhere if they are different. Logistically that would be difficult to ensure that every single request included the old session id.
Anyway why would you redirect to the login page? The user has already logged in on the first tab, and that login applies to the other browser tabs. If you login on another tab, you will lose the first tabs credentials.
If you want anything other than this "standard" functionality, you will have to implement your own session tracking mechanism.