One way to deal with it is to disable session cookies, and rely on
url-rewriting to carry session id's. This would cause each new browser
window (in fact, every new request without a jsessionid in the url) to
create a new session (when one is requested)
Hani
On Mon, 2 Apr 2001, cybermaster wrote:
> An application I am working on defines multiple roles, and communication
> between users in these roles. There exist certain situations where a person
> may want to access the application through more than one userID (e.g.
> trader1 takes over trader2's clients while trader2 is on vacation etc.), or
> has to act in usually mutually exclusive roles.
>
> So this person opens more than one browser window and tries to log on as 2
> (or n) different userIDs. Now we are getting into trouble - in general, the
> session cookie is created per browser and not per window, causing the latest
> session object to be used by all open windows into the application (and a
> mess for the user). To quote Servlet2.2 spec:
>
> 7.7.3 Client Semantics
> Due to the fact that cookies or SSL certificates are typically controlled by
> the web browser process
> and are not associated with any particular window of a the browser, requests
> from all windows of a
> client application to a servlet container might be part of the same session.
> For maximum portability,
> the Developer should always assume that all windows of a client are
> participating in the same
> session.
>
> Is there a way to force a new session that is recognised as separate by the
> browser window and the app, e.g. is
>
> session = request.getSession(true) ;
>
> when doing a new login in a different window doing the job? Do I have to
> create a custom cookie and store all session related stuff in an object
> referenced by this cookie? Anybody struggled with &/or solved this issue?
>
> Thanks
>
> --peter
>
>
>
