Http Session Semantics

Bernd WENDER Fri, 24 Sep 1999 09:13:06 -0700
Can anybody give me an exact definition of http session semantics?

Suppose you connect to a classical login page that processes form data
using an HTTP servlet.
I observed the following:

1. If you connect more than once from the same browser instance, you most
likely get the same
    session id (Iexplorer:yes, Netscape communicator: yes, Jazilla: no).
2. If you connect from two different browsers running on the same machine,
you possibly get the same
    session id, e.g. with Iexplorer and Navigator on some machines in our
network.
3. The only way to be sure to get another session id seems to start browser
instances on different
    machines.  But I'm not even sure if this is true.
4. A session stays open and its id will possibly be reused if the browser
instance is terminated.

These facts impose serious problems to my application, e.g.

What if a user logs in, closes the browser, and afterwards another user
logs in and gets the same
session id? What should the login processing servlet do in that case? It
could cancel the old
session and fetch a new one. But how can it be sure that the first user has
really quit? If this is
not the case, it would cancel the session and destroy user specific data,
which is not very nice.

Is there a generally accepted mechanism of dealing with these problems? I
implemented methods,
which check, if a username/password combination match a session, but all I
can do is prevent
users from accessing session private data of other users by locking them
out. I don't believe
that this is the recommended way. Can I even force the closing of a session
when a browser
is terminated?

In short, if there was a mechanism which allows me to force the creation of
a new session would help
me a lot. Does such a mechanism exist? Hope somebody can help. Thanks in
advance!

     Bernd

PS: our environment: JSDK 1.0 (SUN) on WinNT, different browsers on WinNT
in a LAN



______________________________________________________________________
Der Austausch von Nachrichten mit Software Daten Service via E-Mail dient
ausschliesslich Informationszwecken. Rechtsgeschaeftliche Erklaerungen
duerfen ueber dieses Medium nicht ausgetauscht werden.

Correspondence with Software Daten Service via e-mail is only for
information purposes. This medium is not to be used for the exchange of
legally-binding communications.

===========================================================================
To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST".
FAQs on JSP can be found at:
 http://java.sun.com/products/jsp/faq.html
 http://www.esperanto.org.nz/jsp/jspfaq.html
Http Session Semantics

Reply via email to
