I am working on a JSF 1.2 application. Consider the following use case with a browser with 2 tabs:
In the first tab I login with user 'TEST'.
In the second tab I login with user 'TEST2'.
When I return back to the first tab, the logged-in user is changed to 'TEST2'.
How can I restrict the login to the current tab instead of all tabs? In other words, how can I restrict the HTTP session to one tab instead of all tabs of the browser instance?
Try to use the Private Tab. This will do the trick.
The private tab does not hold cookies. So it's a new session cookie for each tab.
NEW:
Another approach is disabling the cookies for your browser.
The default JSF behavior is concatenating the JSESSIONID in the URL.
So each tab will have a different JSESSIONID as a URL parameter.
Simply use 2 different browsers (like chrome and firefox)
If you're using FireFox install the MultiFox plugin
Related
My Angular application URL structure is as below:
Domain/clientCode/*
And the backend API which is a Node application is setting cookie as below:
Fetch clientCode from the URL and set cookie as:
response.cookie('client', clientCode, { httpOnly: true });
Now the problem is When we open Multiple client URIs in different browser tabs (Chrome) in Quick succession, all the tabs get same value for client cookie. If we open different client tabs once pervious one gets loaded then cookie is setting properly for each tab.
Example:
When we open below URLs in different tabs in Chrome in quick succession:
Domain/ABC/*
Domain/BCD/*
Domain/DEF/*
Domain/XYZ/*
The client cookie has same value for multiple tabs(We want it to be different for each tab as per the clientCode in the URL).
I know that cookies are saved for a domain and doesn't consider other values in the URL but Its working fine when we open multiple URLs with little bit of gap.
Thanks in advance.
This is happening because you are setting a static cookie for your domain. You need to set dynamic cookies to avoid the issue.
For example: You may set the cookie name for the username = 'Michelle' with random dynamic values like Michelle_456900234. For each login session, you will have a dynamic value associated with it. While retrieving the value just find the substring username.
I have an MVC 5 app that uses OWIN middleware for Identity Framework. Right now it's working correctly and sends unauthorized users to the Account/Login page. The app uses local login (not facebook/google etc).
I need to change it so that it opens a modal popup asking for username/password instead of redirecting to a page. How would I do that?
Update:
Thanks #SteveGreene and #chris. Let me clarify a little bit more. Yes I know I can easily use a modal popup when the user explicitly wants to login. What I want is when they click a link to a controller/action that requires authorization, instead of the app redirecting them to login page (or the controller page), it should show a popup. Once they login the page should then be redirected to the controller/action they requested. If I were to take Chris's suggestion and check within the controller, I would not be able to use [Authorize] attribute correct? Is there a better way then just checking for authentication manually in all the actions?
Really, this is not any different than just a standard login form. The only real difference is that the form is within a modal popup hidden initially, part of the layout or otherwise on every page, and any login links you have will merely activate this popup rather than navigate to a new URL. After login, you're going to still want to do a redirect even if it's back to the same page, just so MVC can actually fill in the user principal in the HttpContext.
However, you're still going to need a standard login form for redirecting to when the user navigates to a page requiring authorization. First, you can't dynamically set the URL MVC will navigate unauthorized users to. It's set in the web.config and that's all you get. Second, even if you could, you can't simultaneously protect a page and display it, even if you intend to have a modal login form displayed on top of it. You would have to allow anonymous access to all pages, at which point you could determine if the user is authenticated or not on page and show the login form modal if necessary. However, at this point, a clever user could just dig into the developer tools of their browser and just remove the modal and proceed to work with the page.
Long and short, you can have a modal login form for when the user explicitly chooses to login, but if they hit a page requiring authorization, you'll still need a standard form to redirect them to.
how to prevent user to relogin in the same browser but different teb.Suppose i have loggid in gmail in a browser.But in the same browser in different tab ,if i login again, it will redirect me to the same page but my requirement is that it should redirect me to the gmail home page.Can any one solve this plz....
You'll need to store two cookies, and you'll need a way to distinguish between the two cookies in the two sessions. The only way I know to do this is to encode part of the cookie in every single GET query made from a single "session".
I found that IE7 maintains same session for multiple tabs in a single browser window and thus doesn't support different sessions for different tabs in a single browser window. My client needs that the application should work perfectly in two different tabs in a single browser window. i think this is because of session and cookie problem. Is there a workaround for this.
Appreciate your help in this regard.
Thanks,
Manoja Swaro
Browser tabs share cookies (and not just in IE, in Firefox and the others as well), and the cookies contain the session ID.
You could switch to cookie-less sessions however this has security and usability concerns. URL based sessions are easily hijacked, and it breaks bookmarking as well, as each page has a unique URL per session.
IE7 doesn't maintain a 'session' as such, you're talking about a cookie with a session ID in it, I would guess. All browsers will have one value for a cookie, it doesn't vary by window/tab.
If you want a session ID to travel with the click trail, you're going to have to pass it from page to page, by (for instance) passing it as a URL parameter and ensuring that you add the parameter to the URL within the page. (Or do without a session.)
The real solution is to change your application so it doesn't assume each session has only one page. An application that can't be open in multiple tabs is broken.
This can be hard if this assumption is already deeply embedded in your code.
I use a web application that forces you to reauthenticate with the application even if you open a new browser window that shares the same session, e.g. File, New Window in Internet Explorer. I was surprised since I thought that if you opened a new browser window from File, New in both IE and Firefox (vs. starting a new browser process) that it would share the same session.
Using an Internet Explorer cookie viewer/editor, I saw no cookies for this application at all.
How do they likely implement this forced authentication scheme that seems to disallow new browser windows from continuing the session?
One common approach is to pass a session ID in the URL.
For instance, asp.net uses this approach for cookieless sesssions. URLs within the application are rewritten to contain a session ID.
there are two possibilities for this:
it's session id stored in all <a href=''> , so clicking on link automatically sends some data to server.
Same, but with POST queries (hidden form fields)