Actually, that has nothing to do with it Steve, the issue is not one
of state at all. The problem is one of process isolation assuming
we're referring to session cookies which are only retained in memory.
IE supports a different process per browser window, Firefox does not.
For cookies which are placed on disk, they are shared amongst all
browser instances, even when they have separate memory footprints.
Cookieless sessions are a security flaw, due to the ease of compromise
of the session token from the query string either on the user's system
or via web server logs and even referer logs.
-dhs
Dean H. Saxe, CISSP, CEH
[EMAIL PROTECTED]
"[T]he people can always be brought to the bidding of the leaders.
This is easy. All you have to do is to tell them they are being
attacked, and denounce the pacifists for lack of patriotism and
exposing the country to danger. It works the same in every country."
--Hermann Goering, Hitler's Reich-Marshall at the Nuremberg Trials
On Jul 3, 2008, at 12:32 PM, Steven Ross wrote:
What you are asking to do really isn't possible because of the
stateless nature of http because you can't tell where the user is
coming from. If they are authenticated then the application / web
server has no idea what client (browser window) they are coming from
and will let them perform any task from multiple windows (unless
they launch a completely new instance of the browser - which like
you said would only work if you were not using cookie based
authentication). Sounds like you just need to educate your users a
bit.
-Steve
On Thu, Jul 3, 2008 at 12:11 PM, Bruce Hodgdon
<[EMAIL PROTECTED]> wrote:
Is there any way to force a new session, if a user opens a new tab
then goes to the same app that is in the first window?
We use the pretty standard cfapplication that allows cookies and
session management.
I have found that sometimes users will open a new tab and go to the
same application basically executing the app twice from different
windows. But since both these windows share session variables
this can sometimes cause problems (changes in one window effect the
other). Executing the browser twice keeps separate sessions.
But since this is 2 windows in the same browser the cookie that
points to the session id is the same.
I guess one way around this is cookieless sessions, then I believe
you would have to put the jsessionid on each url? I don't like
doing that. And that wouldn't stop someone from copying and
pasting the URL to another window and having the same issue.
Or is there a good way to tell if the user does have 2 windows open
with the same session?
Or other slick ways around this issue?
-------------------------------------------------------------
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by FusionLink
-------------------------------------------------------------
--
Steven Ross
web application & interface developer
http://blog.stevensross.com
[mobile] 404-488-4364 [fax] (404) 592-6885
[ AIM / Yahoo! : zeriumsteven ] [googleTalk : nowhiding ]
-------------------------------------------------------------
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by FusionLink
-------------------------------------------------------------
-------------------------------------------------------------
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-------------------------------------------------------------
