my requirement is if user logged into website.then if he opens same website in new tab.
then i have to check for an existing session. If one exists bypass the login screen and send them to the welcome screen.how can i do
usually you want to prevent user from logging in when opening a second tab using concurrent session as for keeping track of session that depend on what you are using: example Spring security login which create the session on login (you can set its timeout too).
Related
I am using SessionAware of Struts2 for creating session. When we create session JSESSIONID is added in cookies. But when i quit browser then JSESSIONID is delete. So after quiting browser, When i again open application, it shows that user is not login.
How can i do in struts2 that JSESSIONID should not deleted when browser is closed.
The lifetime of a session is coupled with the browser. After you've closed the last instance (window, tab) of the browser, the JSESSIONID expires.
You need to carefully analyze pros and cons of allowing a user to relogin automatically after the browser has been closed, but if you still want to implement the Remember me feature, this is a must-read:
PART II: How To Remain Logged In - The Infamous "Remember Me" Checkbox
That it how session work. If you want to secure your application with login feature, you shouldn't allow an user to access your application easy by just open the browser. How if someone forget to log out.
However, if you still want to store some in browser, use normal cookie and set expiry time.
I have an ajax based site built in Spring MVC. On header it shows user that is logged in and a menu to browse to other pages. On click of menu page is changed via ajax call and menu/header remains the same. Here is a problem I am facing,
1- Logged in as user1
2- Click Profile Page to see its profile (via ajax loads fine)
3- Open another tab, open the same site, logged out and log in as user2
4- Come back to First Tab, click Profile Page again
This time it shows profile of User2 but on header/menu its still showing User1
How to implement this solution? or any better solution here?
-- As soon as a user is logged out, the web site should refresh to login page on all tabs where its opening on same browser.
Not sure you understand why the behavior is like this so I quickly explain it.
Explanation
Usually you have a single session per browser instance and not per tab. Hence, if you start browser X twice and load the application once in each instance you would not have this problem.
However, in a single browser instance the application loaded into tab 1 doesn't realize that you logged out and logged in with a different user in tab 2. It keeps a single session cookie per browser instance. Then if you interact with the application in tab 1 it finds the session cookie created when you logged in in tab 2 and uses it.
Solution
One solution (out of several) would be that you update the header every time you load one of the content pages. For this to work you either need to store the user information (id, name, etc.) in a cookie when the user logs in and read from the cookie when the content page is loaded. Or you send the user information along with every content page, of course it'd have to be hidden somewhere.
What is the best approach to ensure that a specific page (assume a single-page Web application) is open only in one browser tab?
Assume the Java Web app has authentication, i.e. user has to sign in (so we can identify which page is being viewed by which user via Java Session API).
The intention is that if another tab is opened for the same URL, the user will be redirected to a static page that tells him he has the application open somewhere else (another tab).
My current approach fails to work for tabs in the same browser, since JSESSIONID is stored in cookies, that are available for all browser's tabs.
I assume your current use case is this:
The user opens a browser tab, loads your application page and logs in.
The user then opens a second browser tab, loads your application page and is already logged in (because the browser has the same session cookies for all tabs or windows).
And you want to restrict the user so that if when they load the second tab, the instead see a warning message saying: You have already logged into this site elsewhere, please use that window, or if you no longer have that window open, click here to logout and log back in again.
Most solutions will involve keeping a one time token for the instance of the application along with the session. If your application loads up in a single page and presents the user with a login box then when the user logs in you could send the one time token, store it in a javascript variable and send it with all server requests.
If the user then loads up the application in a new tab, they request their initial data and the server can generate a response saying that the token is not present and they need to logout, close the window or switch to the already logged in window.
So the answer is baically that you want to store a random string in your session on the server, serve it to the user on login and check that every request has it otherwise bounce them to a logout page. And in the javascript of the web client, store that token and send it with every request to the server.
You can create an asynchron call to the backend (keyword: long time polling) and send single bytes through it to keep it alive. As long as it is alive, the tab is open. If a second call comes in you can test on that.
What is the best way to keep the same session when you open the same java webapp in another tab in the browser with passing parameters like username/password in most secured way.
The purpose behind is to navigate the webapp to next navigation page after doing some request to some service.
I am doing it at the client side.
This is a thought coming to my mind right now:
To add the parameters in the URL (not secure)
.....
In your server you can check if the incoming request has a valid session or not, if it has a valid session, retrieve the username or similar identifier from the session.
Depending upon the user you can show him/her the home page which they will enter if they had actually logged in the system.
If you want to show response based on the last action, then you can have the last action as part of your session and rules on your server which should fetch the correct page depending upon the last action.
For e.g. gmail will always show you the inbox if you have a valid session in one tab and you again open gmail in another tab.
If this is handled at the server level it is highly secure as you there is no need to append, send user credentials.
We have a web application where users can login.
Now what we want is that the same user should not be able to login using different browsers.
Basically currently a user using two different browsers (IE and FF) can log in to the same account at the same time. When you hit the login button, is it possible to invalidate all other logins for that account.
What is the best possible approach to do this?
PS: We are using Struts, Spring and Hibernate in our web application.
Thanks !
Doing this on server-side is your best bet. You can keep tract of logged-in users in your application context.
Well, a little hint. Make use of a Servlet Filter, say AuthFilter, and make validation, may be isAlreadyLoggedIn(), over there beside other validations like username/password etc.. Now after having this check in place, you either -- that it depends what you want to do with the user trying to log in, show the message that "user already logged-in", or you can let the user log-in and invalidate the previous session. As discussed here.
You can store the logged in user information in database or you can get it from Application context. and if the user is logged in already don't allow to make him another session.
Google uses some ip address mechanism to logout the user logged in another computer,instead of logging off in the same browser or tab.
May be we can use geoip database Geolitecity to save the user's ip + Balusc answer of storing session using user as the key and the ip address for the solution .
Have a column isLoggedIn in database. Set to Y , if it logged, if the same user log's in from the another computer or brower, invalidate the session. Mind to set it to N ,if session expires.
* For Best Read the Balusc's answer *
prevent-multiple-login-using-the-same-user-name-and-password using HttpSessionBindingListener.