subject:"RE\: how to invalidate old sessions when new user access appl on same machine"

Re: how to invalidate old sessions when new user access appl on same machine

2008-12-29 Thread Christopher Schultz

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Nicolas,

Nicolas Romantzoff wrote:
> Session is binded to a connection (browser session) basically, not a
> machine.
> If you open a second browser (or a second tab) you should get a different
> session-id.

That's debatable, and depends on application requirements.

> Don't use JSESSIONID in url parameters, but in session cookie (unless you
> need to cross protocols like http <-> https)

Actually, this is exactly backward: if you use JSESSIONID cookies, then
the browser will always have the same user "logged-in" no matter how
many windows you open. "Old" windows will suddenly inherit the
credentials of the "new" windows, etc.

If you want to have able to have multiple windows opened from the same
web browser on the same machine with different logins, you need to
DISABLE the use of cookies. This is possible by setting cookies="false"
in your  element for your webapp.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAklZN1MACgkQ9CaO5/Lv0PD6qwCgpj6xpGROai2yGYqomFtcvbZj
gEYAn024g6AaaBeaUnwBzgvo+wJRVhu7
=+Q2F
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: how to invalidate old sessions when new user access appl on same machine

2008-12-19 Thread Mikolaj Rydzewski


André Warnier wrote:
Well, user1 should not leave his window open when he goes off to drink 
a coffee.

Unless he locks workstation when not in use.
No, not in the closet, e.g. with password protected screensaver ;-)

--
Mikolaj Rydzewski 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: how to invalidate old sessions when new user access appl on same machine

2008-12-19 Thread Ingmar Lötzsch

Hello,

you can use the Sevlet API. First call invalidate() on the actual
HttpSession instance and then getSession(true) on the request object
(HttpServletRequest) to start a new session.

Nicolas Romantzoff schrieb:
> Thats a problem in your server code...
> 
> Session is binded to a connection (browser session) basically, not a
> machine.
> If you open a second browser (or a second tab) you should get a different
> session-id.

That's dependent on the browser and maybe the user settings. I'am using
Firefox and I'am happy, that Firefox uses the same session in all
windows for the same host.

> Don't use JSESSIONID in url parameters, but in session cookie (unless you
> need to cross protocols like http <-> https)

Shouldn't this be transparent to the developper?

> For security, you will have to bind an 'ending' date to the session's
> authentication.

Isn't the session timeout enough?

> Nicolas Romantzoff
> General Manager
> Tél.: (+33) 478 53 65 17 
> 
> 
> -Original Message-
> From: Vishnu Vardhana Reddy [mailto:vishnu...@gmail.com]
> Sent: Friday, 19 December, 2008 12:55
> To: users@tomcat.apache.org
> Subject: how to invalidate old sessions when new user access appl on same
> machine
> 
> 
> hi all,
> 
> I am using Mozilla browser to access my web application.User one access my
> application using his credentials .but i left that browser open.after that I
> am opening the another Mozilla window and accessing my application using
> different credentials ex:user2 credentials .user 2 also can access my
> application.but when i open the first browser ..am automatically getting
> second user session.how can we avoid this problem.
> 
> Application is using session identifier(jSessionID) as the URL parameter for
> session management.
> 
> is it possible to invalidate the old session when new user access on same
> machine.
> 
> thanks,
> Vishnu
> --
> View this message in context:
> http://www.nabble.com/how-to-invalidate-old-sessions-when-new-user-access-ap
> pl-on-same-machine-tp21090090p21090090.html
> Sent from the Tomcat - User mailing list archive at Nabble.com.
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
> 
> 
> 
>   _  
> 
> avast! Antivirus  : Outbound message clean. 
> 
> 
> Virus Database (VPS): 081218-0, 2008-12-18
> Tested on: 2008-12-19 13:54:20
> avast! - copyright (c) 1988-2008 ALWIL Software.
> 
> 
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: how to invalidate old sessions when new user access appl on same machine

2008-12-19 Thread Nicolas Romantzoff

Thats a problem in your server code...

Session is binded to a connection (browser session) basically, not a
machine.
If you open a second browser (or a second tab) you should get a different
session-id.
Don't use JSESSIONID in url parameters, but in session cookie (unless you
need to cross protocols like http <-> https)

For security, you will have to bind an 'ending' date to the session's
authentication.


Nicolas Romantzoff
General Manager
Tél.: (+33) 478 53 65 17 


-Original Message-
From: Vishnu Vardhana Reddy [mailto:vishnu...@gmail.com]
Sent: Friday, 19 December, 2008 12:55
To: users@tomcat.apache.org
Subject: how to invalidate old sessions when new user access appl on same
machine


hi all,

I am using Mozilla browser to access my web application.User one access my
application using his credentials .but i left that browser open.after that I
am opening the another Mozilla window and accessing my application using
different credentials ex:user2 credentials .user 2 also can access my
application.but when i open the first browser ..am automatically getting
second user session.how can we avoid this problem.

Application is using session identifier(jSessionID) as the URL parameter for
session management.

is it possible to invalidate the old session when new user access on same
machine.

thanks,
Vishnu
--
View this message in context:
http://www.nabble.com/how-to-invalidate-old-sessions-when-new-user-access-ap
pl-on-same-machine-tp21090090p21090090.html
Sent from the Tomcat - User mailing list archive at Nabble.com.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




  _  

avast! Antivirus  : Outbound message clean. 


Virus Database (VPS): 081218-0, 2008-12-18
Tested on: 2008-12-19 13:54:20
avast! - copyright (c) 1988-2008 ALWIL Software.




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: how to invalidate old sessions when new user access appl on same machine

2008-12-19 Thread Vishnu Vardhana Reddy


well .that true but we cant say it to customer ..they do how they like .but
we have to restrict it ..
thats is i want ..if user forgot to logout ..that case ..

awarnier wrote:
> 
> Vishnu Vardhana Reddy wrote:
>> hi all,
>> 
>> I am using Mozilla browser to access my web application.User one access
>> my
>> application using his credentials .but i left that browser open.after
>> that I
>> am opening the another Mozilla window and accessing my application using
>> different credentials ex:user2 credentials .user 2 also can access my
>> application.but when i open the first browser ..am automatically getting
>> second user session.how can we avoid this problem.
>> 
> Well, user1 should not leave his window open when he goes off to drink a 
> coffee.  That's basic security.  After all, you do not leave your 
> bank-card in the cash machine for the next user, or do you ?
> 
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
> 
> 

-- 
View this message in context: 
http://www.nabble.com/how-to-invalidate-old-sessions-when-new-user-access-appl-on-same-machine-tp21090090p21090313.html
Sent from the Tomcat - User mailing list archive at Nabble.com.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: how to invalidate old sessions when new user access appl on same machine

2008-12-19 Thread André Warnier


Vishnu Vardhana Reddy wrote:

hi all,

I am using Mozilla browser to access my web application.User one access my
application using his credentials .but i left that browser open.after that I
am opening the another Mozilla window and accessing my application using
different credentials ex:user2 credentials .user 2 also can access my
application.but when i open the first browser ..am automatically getting
second user session.how can we avoid this problem.

Well, user1 should not leave his window open when he goes off to drink a 
coffee.  That's basic security.  After all, you do not leave your 
bank-card in the cash machine for the next user, or do you ?




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: how to invalidate old sessions when new user access appl on same machine

Re: how to invalidate old sessions when new user access appl on same machine

Re: how to invalidate old sessions when new user access appl on same machine

RE: how to invalidate old sessions when new user access appl on same machine

Re: how to invalidate old sessions when new user access appl on same machine

Re: how to invalidate old sessions when new user access appl on same machine

6 matches

Site Navigation

Mail list logo

Footer information