An application I am working on defines multiple roles, and communication
between users in these roles. There exist certain situations where a person
may want to access the application through more than one userID (e.g.
trader1 takes over trader2's clients while trader2 is on vacation etc.), or
has to act in usually mutually exclusive roles.
So this person opens more than one browser window and tries to log on as 2
(or n) different userIDs. Now we are getting into trouble - in general, the
session cookie is created per browser and not per window, causing the latest
session object to be used by all open windows into the application (and a
mess for the user). To quote Servlet2.2 spec:
7.7.3 Client Semantics
Due to the fact that cookies or SSL certificates are typically controlled by
the web browser process
and are not associated with any particular window of a the browser, requests
from all windows of a
client application to a servlet container might be part of the same session.
For maximum portability,
the Developer should always assume that all windows of a client are
participating in the same
session.
Is there a way to force a new session that is recognised as separate by the
browser window and the app, e.g. is
session = request.getSession(true) ;
when doing a new login in a different window doing the job? Do I have to
create a custom cookie and store all session related stuff in an object
referenced by this cookie? Anybody struggled with &/or solved this issue?
Thanks
--peter
