User session take over in IE (cntrl + t scenario) as it uses the existing JSESSIONID and hence does not create a new session ID. This is easily reproducible if you do the following:
step1: At the app launch, http://<login_url> (e.g. UUID sessionid is created - say a71a904c) step2: User A login is successful (binds userA -> a71a904c sessionid) step3: cntrl+t; launch the app, http://<login_url> (existing JSESSION cookie found by IE). This is because IE opens new tab under same process. step4: User B login is successful (binds userB -> a71a904c sessionid) *** Now UserB (last logged in user) takes over the session owned by userA. Any saves etc done by UserA are still saved (owned) as user UserB *** Is there a way to prevent this ? Easiest way would be to generate new session. -- View this message in context: http://shiro-user.582556.n2.nabble.com/User-session-take-over-in-IE-cntrl-t-scenario-tp5583901p5583901.html Sent from the Shiro User mailing list archive at Nabble.com.
