[ACFUG Discuss] Cookies/Sessions when opening a new window in tabbed browsers
Is there any way to force a new session, if a user opens a new tab then goes to the same app that is in the first window? We use the pretty standard cfapplication that allows cookies and session management. I have found that sometimes users will open a new tab and go to the same application basically executing the app twice from different windows.But since both these windows share session variables this can sometimes cause problems (changes in one window effect the other).Executing the browser twice keeps separate sessions.But since this is 2 windows in the same browser the cookie that points to the session id is the same. I guess one way around this is cookieless sessions, then I believe you would have to put the jsessionid on each url? I don't like doing that.And that wouldn't stop someone from copying and pasting the URL to another window and having the same issue. Or is there a good way to tell if the user does have 2 windows open with the same session? Or other slick ways around this issue? - To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com -
Re: [ACFUG Discuss] Cookies/Sessions when opening a new window in tabbed browsers
What you are asking to do really isn't possible because of the stateless nature of http because you can't tell where the user is coming from. If they are authenticated then the application / web server has no idea what client (browser window) they are coming from and will let them perform any task from multiple windows (unless they launch a completely new instance of the browser - which like you said would only work if you were not using cookie based authentication). Sounds like you just need to educate your users a bit. -Steve On Thu, Jul 3, 2008 at 12:11 PM, Bruce Hodgdon [EMAIL PROTECTED] wrote: Is there any way to force a new session, if a user opens a new tab then goes to the same app that is in the first window? We use the pretty standard cfapplication that allows cookies and session management. I have found that sometimes users will open a new tab and go to the same application basically executing the app twice from different windows.But since both these windows share session variables this can sometimes cause problems (changes in one window effect the other).Executing the browser twice keeps separate sessions.But since this is 2 windows in the same browser the cookie that points to the session id is the same. I guess one way around this is cookieless sessions, then I believe you would have to put the jsessionid on each url? I don't like doing that. And that wouldn't stop someone from copying and pasting the URL to another window and having the same issue. Or is there a good way to tell if the user does have 2 windows open with the same session? Or other slick ways around this issue? - To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by FusionLink http://www.fusionlink.com - -- Steven Ross web application interface developer http://blog.stevensross.com [mobile] 404-488-4364 [fax] (404) 592-6885 [ AIM / Yahoo! : zeriumsteven ] [googleTalk : nowhiding ] - To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com -
Re: [ACFUG Discuss] Cookies/Sessions when opening a new window in tabbed browsers
Actually, that has nothing to do with it Steve, the issue is not one of state at all. The problem is one of process isolation assuming we're referring to session cookies which are only retained in memory. IE supports a different process per browser window, Firefox does not. For cookies which are placed on disk, they are shared amongst all browser instances, even when they have separate memory footprints. Cookieless sessions are a security flaw, due to the ease of compromise of the session token from the query string either on the user's system or via web server logs and even referer logs. -dhs Dean H. Saxe, CISSP, CEH [EMAIL PROTECTED] [T]he people can always be brought to the bidding of the leaders. This is easy. All you have to do is to tell them they are being attacked, and denounce the pacifists for lack of patriotism and exposing the country to danger. It works the same in every country. --Hermann Goering, Hitler's Reich-Marshall at the Nuremberg Trials On Jul 3, 2008, at 12:32 PM, Steven Ross wrote: What you are asking to do really isn't possible because of the stateless nature of http because you can't tell where the user is coming from. If they are authenticated then the application / web server has no idea what client (browser window) they are coming from and will let them perform any task from multiple windows (unless they launch a completely new instance of the browser - which like you said would only work if you were not using cookie based authentication). Sounds like you just need to educate your users a bit. -Steve On Thu, Jul 3, 2008 at 12:11 PM, Bruce Hodgdon [EMAIL PROTECTED] wrote: Is there any way to force a new session, if a user opens a new tab then goes to the same app that is in the first window? We use the pretty standard cfapplication that allows cookies and session management. I have found that sometimes users will open a new tab and go to the same application basically executing the app twice from different windows.But since both these windows share session variables this can sometimes cause problems (changes in one window effect the other).Executing the browser twice keeps separate sessions. But since this is 2 windows in the same browser the cookie that points to the session id is the same. I guess one way around this is cookieless sessions, then I believe you would have to put the jsessionid on each url? I don't like doing that.And that wouldn't stop someone from copying and pasting the URL to another window and having the same issue. Or is there a good way to tell if the user does have 2 windows open with the same session? Or other slick ways around this issue? - To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by FusionLink - -- Steven Ross web application interface developer http://blog.stevensross.com [mobile] 404-488-4364 [fax] (404) 592-6885 [ AIM / Yahoo! : zeriumsteven ] [googleTalk : nowhiding ] - To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by FusionLink - - To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com -
RE: [ACFUG Discuss] Cookies/Sessions when opening a new window in tabbed browsers
Well..maybe, maybe not... Just for theoretical sake...you COULD make this work - would it be worth the trouble, that really depends on how many users do what was described below. But, you COULD get creative... Something like this. Let's say that there's a portal page to your application...you could actually force a new cfid and cftoken on that page and ALSO, you'd have to make sure it wasn't a temporary cookie. You'd have to make it a persistent cookie so that it wasn't in the browsers memory (otherwise they'd collide). Then, each tab would basically have it's own cfid/cftoken pair that would be unique to those browser sessions and you could have the user running two different sessions at a time. If you're not familiar with how the cookie is handled for the cf session, you'll definitely want to do some reading on that. Now, I will say with that with this approach, you may run into some weird things that you had not thought about before...but in theory, it's possible. Allen From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steven Ross Sent: Thursday, July 03, 2008 12:33 PM To: discussion@acfug.org Subject: Re: [ACFUG Discuss] Cookies/Sessions when opening a new window in tabbed browsers What you are asking to do really isn't possible because of the stateless nature of http because you can't tell where the user is coming from. If they are authenticated then the application / web server has no idea what client (browser window) they are coming from and will let them perform any task from multiple windows (unless they launch a completely new instance of the browser - which like you said would only work if you were not using cookie based authentication). Sounds like you just need to educate your users a bit. -Steve On Thu, Jul 3, 2008 at 12:11 PM, Bruce Hodgdon [EMAIL PROTECTED]mailto:[EMAIL PROTECTED] wrote: Is there any way to force a new session, if a user opens a new tab then goes to the same app that is in the first window? We use the pretty standard cfapplication that allows cookies and session management. I have found that sometimes users will open a new tab and go to the same application basically executing the app twice from different windows.But since both these windows share session variables this can sometimes cause problems (changes in one window effect the other).Executing the browser twice keeps separate sessions.But since this is 2 windows in the same browser the cookie that points to the session id is the same. I guess one way around this is cookieless sessions, then I believe you would have to put the jsessionid on each url? I don't like doing that.And that wouldn't stop someone from copying and pasting the URL to another window and having the same issue. Or is there a good way to tell if the user does have 2 windows open with the same session? Or other slick ways around this issue? - To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by FusionLinkhttp://www.fusionlink.com - -- Steven Ross web application interface developer http://blog.stevensross.com [mobile] 404-488-4364 [fax] (404) 592-6885 [ AIM / Yahoo! : zeriumsteven ] [googleTalk : nowhiding ] - To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by FusionLinkhttp://www.fusionlink.com - - To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com -
Re: [ACFUG Discuss] Cookies/Sessions when opening a new window in tabbed browsers
Allen, Sorry, but you are wrong here. You cannot do that. If the cookie is on disk, it is shared across all browser instances. Session cookies (non-persistent) may work if you can guarantee separate browser instances, which you can't do with tabs. I'd suggest some reading on the basics of the HTTP protocols for further info. The HTTP book from O'Reilly is good. -dhs Dean H. Saxe, CISSP, CEH [EMAIL PROTECTED] [T]he people can always be brought to the bidding of the leaders. This is easy. All you have to do is to tell them they are being attacked, and denounce the pacifists for lack of patriotism and exposing the country to danger. It works the same in every country. --Hermann Goering, Hitler's Reich-Marshall at the Nuremberg Trials On Jul 3, 2008, at 12:44 PM, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Well..maybe, maybe not... Just for theoretical sake...you COULD make this work - would it be worth the trouble, that really depends on how many users do what was described below. But, you COULD get creative... Something like this. Let's say that there's a portal page to your application...you could actually force a new cfid and cftoken on that page and ALSO, you'd have to make sure it wasn't a temporary cookie. You'd have to make it a persistent cookie so that it wasn't in the browsers memory (otherwise they'd collide). Then, each tab would basically have it's own cfid/cftoken pair that would be unique to those browser sessions and you could have the user running two different sessions at a time. If you're not familiar with how the cookie is handled for the cf session, you'll definitely want to do some reading on that. Now, I will say with that with this approach, you may run into some weird things that you had not thought about before...but in theory, it's possible. Allen From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steven Ross Sent: Thursday, July 03, 2008 12:33 PM To: discussion@acfug.org Subject: Re: [ACFUG Discuss] Cookies/Sessions when opening a new window in tabbed browsers What you are asking to do really isn't possible because of the stateless nature of http because you can't tell where the user is coming from. If they are authenticated then the application / web server has no idea what client (browser window) they are coming from and will let them perform any task from multiple windows (unless they launch a completely new instance of the browser - which like you said would only work if you were not using cookie based authentication). Sounds like you just need to educate your users a bit. -Steve On Thu, Jul 3, 2008 at 12:11 PM, Bruce Hodgdon [EMAIL PROTECTED] wrote: Is there any way to force a new session, if a user opens a new tab then goes to the same app that is in the first window? We use the pretty standard cfapplication that allows cookies and session management. I have found that sometimes users will open a new tab and go to the same application basically executing the app twice from different windows.But since both these windows share session variables this can sometimes cause problems (changes in one window effect the other).Executing the browser twice keeps separate sessions. But since this is 2 windows in the same browser the cookie that points to the session id is the same. I guess one way around this is cookieless sessions, then I believe you would have to put the jsessionid on each url? I don't like doing that.And that wouldn't stop someone from copying and pasting the URL to another window and having the same issue. Or is there a good way to tell if the user does have 2 windows open with the same session? Or other slick ways around this issue? - To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by FusionLink - -- Steven Ross web application interface developer http://blog.stevensross.com [mobile] 404-488-4364 [fax] (404) 592-6885 [ AIM / Yahoo! : zeriumsteven ] [googleTalk : nowhiding ] - To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by FusionLink - - To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org
RE: [ACFUG Discuss] Cookies/Sessions when opening a new window in tabbed browsers
I'll take your word for it... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean H. Saxe Sent: Thursday, July 03, 2008 12:50 PM To: discussion@acfug.org Subject: Re: [ACFUG Discuss] Cookies/Sessions when opening a new window in tabbed browsers Allen, Sorry, but you are wrong here. You cannot do that. If the cookie is on disk, it is shared across all browser instances. Session cookies (non-persistent) may work if you can guarantee separate browser instances, which you can't do with tabs. I'd suggest some reading on the basics of the HTTP protocols for further info. The HTTP book from O'Reilly is good. -dhs Dean H. Saxe, CISSP, CEH [EMAIL PROTECTED] [T]he people can always be brought to the bidding of the leaders. This is easy. All you have to do is to tell them they are being attacked, and denounce the pacifists for lack of patriotism and exposing the country to danger. It works the same in every country. --Hermann Goering, Hitler's Reich-Marshall at the Nuremberg Trials On Jul 3, 2008, at 12:44 PM, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Well..maybe, maybe not... Just for theoretical sake...you COULD make this work - would it be worth the trouble, that really depends on how many users do what was described below. But, you COULD get creative... Something like this. Let's say that there's a portal page to your application...you could actually force a new cfid and cftoken on that page and ALSO, you'd have to make sure it wasn't a temporary cookie. You'd have to make it a persistent cookie so that it wasn't in the browsers memory (otherwise they'd collide). Then, each tab would basically have it's own cfid/cftoken pair that would be unique to those browser sessions and you could have the user running two different sessions at a time. If you're not familiar with how the cookie is handled for the cf session, you'll definitely want to do some reading on that. Now, I will say with that with this approach, you may run into some weird things that you had not thought about before...but in theory, it's possible. Allen From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steven Ross Sent: Thursday, July 03, 2008 12:33 PM To: discussion@acfug.org Subject: Re: [ACFUG Discuss] Cookies/Sessions when opening a new window in tabbed browsers What you are asking to do really isn't possible because of the stateless nature of http because you can't tell where the user is coming from. If they are authenticated then the application / web server has no idea what client (browser window) they are coming from and will let them perform any task from multiple windows (unless they launch a completely new instance of the browser - which like you said would only work if you were not using cookie based authentication). Sounds like you just need to educate your users a bit. -Steve On Thu, Jul 3, 2008 at 12:11 PM, Bruce Hodgdon [EMAIL PROTECTED] wrote: Is there any way to force a new session, if a user opens a new tab then goes to the same app that is in the first window? We use the pretty standard cfapplication that allows cookies and session management. I have found that sometimes users will open a new tab and go to the same application basically executing the app twice from different windows.But since both these windows share session variables this can sometimes cause problems (changes in one window effect the other).Executing the browser twice keeps separate sessions. But since this is 2 windows in the same browser the cookie that points to the session id is the same. I guess one way around this is cookieless sessions, then I believe you would have to put the jsessionid on each url? I don't like doing that.And that wouldn't stop someone from copying and pasting the URL to another window and having the same issue. Or is there a good way to tell if the user does have 2 windows open with the same session? Or other slick ways around this issue? - To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by FusionLink - -- Steven Ross web application interface developer http://blog.stevensross.com [mobile] 404-488-4364 [fax] (404) 592-6885 [ AIM / Yahoo! : zeriumsteven ] [googleTalk : nowhiding ] - To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by FusionLink
Re: [ACFUG Discuss] Cookies/Sessions when opening a new window in tabbed browsers
On Thu, Jul 3, 2008 at 12:11 PM, Bruce Hodgdon [EMAIL PROTECTED] wrote: Is there any way to force a new session, if a user opens a new tab then goes to the same app that is in the first window? Short answer - no. I have found that sometimes users will open a new tab and go to the same application basically executing the app twice from different windows. This is a pretty common user behavior, and I (as a user) would expect any site to handle this gracefully. I guess one way around this is cookieless sessions I don't think this will do anything to solve your problem. Or is there a good way to tell if the user does have 2 windows open with the same session? Not really. Why don't you attack this a different way? Since I think the whole open in two tabs behavior is pretty normal, I don't think you should try to mess with the user's experience by trying to prevent it. What specifically does your app do that's bad when two tabs are open? I suspect changing the app's architecture to gracefully deal with two open tabs will be easier, and will make for a more positive user experience at the same time. Frankly, if I tried to a open a site in a second tab and it prevented me from opening the tab or reset my session, I'd think it was a poorly designed site and be grumpy. -Cameron -- Cameron Childress Sumo Consulting Inc http://www.sumoc.com --- cell: 678.637.5072 aim: cameroncf email: [EMAIL PROTECTED] - To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com -