What is the best approach to ensure that a specific page (assume a single-page Web application) is open only in one browser tab?
Assume the Java Web app has authentication, i.e. user has to sign in (so we can identify which page is being viewed by which user via Java Session API).
The intention is that if another tab is opened for the same URL, the user will be redirected to a static page that tells him he has the application open somewhere else (another tab).
My current approach fails to work for tabs in the same browser, since JSESSIONID is stored in cookies, that are available for all browser's tabs.
I assume your current use case is this:
The user opens a browser tab, loads your application page and logs in.
The user then opens a second browser tab, loads your application page and is already logged in (because the browser has the same session cookies for all tabs or windows).
And you want to restrict the user so that if when they load the second tab, the instead see a warning message saying: You have already logged into this site elsewhere, please use that window, or if you no longer have that window open, click here to logout and log back in again.
Most solutions will involve keeping a one time token for the instance of the application along with the session. If your application loads up in a single page and presents the user with a login box then when the user logs in you could send the one time token, store it in a javascript variable and send it with all server requests.
If the user then loads up the application in a new tab, they request their initial data and the server can generate a response saying that the token is not present and they need to logout, close the window or switch to the already logged in window.
So the answer is baically that you want to store a random string in your session on the server, serve it to the user on login and check that every request has it otherwise bounce them to a logout page. And in the javascript of the web client, store that token and send it with every request to the server.
You can create an asynchron call to the backend (keyword: long time polling) and send single bytes through it to keep it alive. As long as it is alive, the tab is open. If a second call comes in you can test on that.
Related
I am using SessionAware of Struts2 for creating session. When we create session JSESSIONID is added in cookies. But when i quit browser then JSESSIONID is delete. So after quiting browser, When i again open application, it shows that user is not login.
How can i do in struts2 that JSESSIONID should not deleted when browser is closed.
The lifetime of a session is coupled with the browser. After you've closed the last instance (window, tab) of the browser, the JSESSIONID expires.
You need to carefully analyze pros and cons of allowing a user to relogin automatically after the browser has been closed, but if you still want to implement the Remember me feature, this is a must-read:
PART II: How To Remain Logged In - The Infamous "Remember Me" Checkbox
That it how session work. If you want to secure your application with login feature, you shouldn't allow an user to access your application easy by just open the browser. How if someone forget to log out.
However, if you still want to store some in browser, use normal cookie and set expiry time.
I have a bit strange requirement. My application is written is jsp and server is tomcat 7. I am using form-based authentication. Here is my problem description.
Let's say I am logged in to my application in one of the IE browser tab. Now, I open a new tab and click the bookmarked application URL. As expected since I was already logged in and browser session is detected, instead of landing to login page, the application directly lands to status home page.
The requirement is that even if user is logged in one of the browser tab and valid browser session is available, the user should always be navigated to login page rather than directly landing to home page when tried to login in another browser tab.
Appreciated for quick help.
I do not think your client fully understands what they are asking of you.
Imagine we could invent something quite nasty in javascript or with referer header, or something like that, in order to achieve what they want. What if your user entered then different credentials in your tab #2? Is your client aware that the session open in tab #1 is the same for both of them?
Make them understand they are trying to override a basic behavior of web browsers, and even if they did it would be useless. Besides that, from a usability point of view, it would harm your application, since it would trick naive users into thinking they can open many sessions in the same browser instance... good luck!
Have the domain name (assuming that is the URL that is book marked) redirect to the login page and ensure this page is displayed even if the user is already logged in.
Then, if necessary (if they currently use a URL that's just your domain name) change your 'home' link, logo link etc to the URL of your home page.
I have an ajax based site built in Spring MVC. On header it shows user that is logged in and a menu to browse to other pages. On click of menu page is changed via ajax call and menu/header remains the same. Here is a problem I am facing,
1- Logged in as user1
2- Click Profile Page to see its profile (via ajax loads fine)
3- Open another tab, open the same site, logged out and log in as user2
4- Come back to First Tab, click Profile Page again
This time it shows profile of User2 but on header/menu its still showing User1
How to implement this solution? or any better solution here?
-- As soon as a user is logged out, the web site should refresh to login page on all tabs where its opening on same browser.
Not sure you understand why the behavior is like this so I quickly explain it.
Explanation
Usually you have a single session per browser instance and not per tab. Hence, if you start browser X twice and load the application once in each instance you would not have this problem.
However, in a single browser instance the application loaded into tab 1 doesn't realize that you logged out and logged in with a different user in tab 2. It keeps a single session cookie per browser instance. Then if you interact with the application in tab 1 it finds the session cookie created when you logged in in tab 2 and uses it.
Solution
One solution (out of several) would be that you update the header every time you load one of the content pages. For this to work you either need to store the user information (id, name, etc.) in a cookie when the user logs in and read from the cookie when the content page is loaded. Or you send the user information along with every content page, of course it'd have to be hidden somewhere.
I developed the webapplication with Struts2.after logging to the my application copy the url and paste to the same browser with different tab then its going to directly without restrict.in that situation i want restrict it.
but same url copy and paste to another browser its working fine .only same browser and different Tab then only problem
This is because your browser has stored your login authentication in the session. It will remember this until you either
Close all windows of the browser or
Choose New Session from the menu
If your question is about your development cycle take a look op answer of #Keppil.
If however you are asking about real user experience this is more complicated. Browser indeed remembers your session ID in cookie and sends it on each request. To override this mechanism you can create your own tokens that will be always appended to URL.
When token is supplied it should send redirect response to URL without token.
The server side should throw user to login screen every time the token is not supplied and the request is not from redirect.
I have never tried to do this and I am not sure you really want to implement this. The ability of browser to connect to same session even if user opens another tab or browser window is very convenient and widely applicable.
What is the best way to keep the same session when you open the same java webapp in another tab in the browser with passing parameters like username/password in most secured way.
The purpose behind is to navigate the webapp to next navigation page after doing some request to some service.
I am doing it at the client side.
This is a thought coming to my mind right now:
To add the parameters in the URL (not secure)
.....
In your server you can check if the incoming request has a valid session or not, if it has a valid session, retrieve the username or similar identifier from the session.
Depending upon the user you can show him/her the home page which they will enter if they had actually logged in the system.
If you want to show response based on the last action, then you can have the last action as part of your session and rules on your server which should fetch the correct page depending upon the last action.
For e.g. gmail will always show you the inbox if you have a valid session in one tab and you again open gmail in another tab.
If this is handled at the server level it is highly secure as you there is no need to append, send user credentials.