Yep - because its the same sessionId and the session hasnt timed out yet (cos the first client is still playing with it). The server doesnt know the difference between a request from client A and client B except for the fact that they have a different sessionId.
In fact this is what is known as 'session hijacking' and can be a security problem as the sessionId is just part of the request (in the url or in a cookie) sent by the browser. If your not using SSL a hacker with a machine in between the users machine and the server with a packet sniffer can find out the sessionId allocated to a logged in user and take over their session without needing to know passwords or anthing like that! You may be able to make use of certain request headers sent by the browser to try and detect this situation - but Im not sure which ones would be appropriate - and different browsers dont necessarily send the same stuff the same way - and even then it could only be a convience feature rather than a security feature as headers are easily spoofed. Ahhh the joys of using a web based UI.... :-( ps: As Shishir just pointed out in another reply, if your requiring your users to authenticate then you can use CMA to force the browser to include a userid and password in its requests which might stop the problem of a foreign machine taking over the session, though again this isnt secure as the login info sent by the browser isnt encryped afaik (for which you would need SSL). -----Original Message----- From: Prashanth.S [mailto:[EMAIL PROTECTED] Sent: Wednesday, 1 October 2003 17:16 To: Struts Users Mailing List; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: <CTRL-N> should not work in different machine... Hi, Thanks for the solution..Actually my problem is if i copy paste my application url from my machine and use it on other machine it still lets user to go through the application but instead it should invalidate by giving session time out error...So what to do??? Waitinf gor reply Prashanth Andrew Hill <[EMAIL PROTECTED]> wrote: eh? Thats something about XSLT -----Original Message----- From: Abhijeet Mahalkar [mailto:[EMAIL PROTECTED] Sent: Wednesday, 1 October 2003 14:54 To: Struts Users Mailing List Subject: Re: should not work in different machine... for this you have to trap the CTRL-N key event through HTML tags. GOTO http://www.javaworld.com/javaworld/jw-12-2001/jw-1221-xslt.html? link . search you will get the solution. abhijeet ----- Original Message ----- From: "Prashanth.S" To: Sent: Wednesday, October 01, 2003 10:22 AM Subject: should not work in different machine... > Hi all, > In my application i dont want [copy pasting the same url in different window] to work...My application is sending sessionid in URL....So how i need to do this so that i cant browse through the application when i copy paste the url in different machine.??? > Thanks > prashanth > > > --------------------------------- > Do you Yahoo!? > The New Yahoo! Shopping - with improved product search --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------- Do you Yahoo!? The New Yahoo! Shopping - with improved product search --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
