how to prevent user to relogin in the same browser but different teb.Suppose i have loggid in gmail in a browser.But in the same browser in different tab ,if i login again, it will redirect me to the same page but my requirement is that it should redirect me to the gmail home page.Can any one solve this plz....
You'll need to store two cookies, and you'll need a way to distinguish between the two cookies in the two sessions. The only way I know to do this is to encode part of the cookie in every single GET query made from a single "session".
Related
So I have few things to say I don't want to use cookies so things like express-session doesn't come as option.
I use nodejs with express with no front-end JavaScript and mysql as database. I don't really know how to do it so I would like to hear your opinion.
I already tried to search on internet.
When dealing with regular web pages, there are only four places in a request to store information that would identify a session.
Cookie sent with each request
Custom header on each request
Query parameter with each request
In the path of the URL
You've ruled out the cookie.
The custom header could work for programmatic requests and is regularly used by Javascript code with various types of tokens. But, if you need a web browser to maintain or send the session on its own, then custom headers are out too.
That leaves query parameters or in the path of the URL. These both have the same issues. You would create a sessionID and then attach something like ?sessionID=92347987 to every single request that your web page makes to your server. There are some server-side frameworks that do sessions this way (most have been retired in favor of cookies). This has all sorts of issues (which is why it isn't used very often any more). Here are some of the downsides:
You have to dynamically generate every single link in a web page so that it will include the right sessionID as part of the link so if the user clicks on it, the resulting http request will have the right sessionID included.
All browser caching has to be disabled or bypassed because you don't want the browser to use cached web pages that might contain the wrong sessionID.
User bookmarks basically don't work because they end up bookmarking a URL with a sessionID in it that won't last forever.
The user sees sessionID=xxxx in all their URLs.
Network infrastructure that log the URLs of requests will include the sessionID (because it's in the URL). This is considered a security risk.
All that said and with those tradeoffs, it can be made to work, but it is not considered the "safest" way to do it.
Let's say we have two websites: GoodGuys.com and BadGuys.com
If a user visits BadGuys.com, could this website subsequently make a request to view cookies from GoodGuys.com?
Without some sort of exploit of the browser, I don't believe so.
It is possible for badly coded websites to have a comment section, for example, that a malicious user could type in some javascript, which would be executed by any user who views it could post cookies to another place...
On session timeout we re-direct to the login page and if the user logs back into the portal he gets re-directed to the page he was trying to navigate in the first place.
In our case, the re-directed page tries to fetch values from the session and it fails badly with exceptions and it works just fine when there is no dependency on pages which don't have any dependency on session variables.
What is the best way to handle the situation? Can we just redirect this to the home page instead, if so how to do this?
It depends on how much information you are storing in the session, as a guideline, you should always the "shortest" scope ever.
Probably your best option is to allow redirect only on stateless pages, so that it won't give you any problem about inconsistent state.
As for your last problem, take a look at this: redirecting-on-session-timeout-in-jsf-richfaces-facelet. Just set the tag to whatever you want.
I initially designed my site to show a login box at the top of the page if the user was not authenticated (e.g. how reddit.com works).
I encountered a user who was having trouble with their browser's storage of their password because after a password change because their browser had stored their login information at different urls on the website. Even after the user typed correctly the new login information at one url, and the browser updated it, there would be other urls at which the browser had the incorrect login information.
This would also cause problems with sites that have a login box on their main page, and a special login page -- especially if the user front page login box is sent to the login page.
Is this a small enough case not to bother with, or should there only be one url at which a user can login to prevent this problem, especially for less technically-savvy audiences?
There should be one login page that every other page accessible sans login links to. It standardizes the process of logging in and reduces the kind of confusion your user experienced. It conforms to a convention that all the browsers are using with respect to saving passwords as well. Don't really see how you can go wrong that way.
Most sites use a single "sign in" button that takes you to the canonical login page.
If you want a signin box on every page that the browser can remember, consider using an iframe to hold the form.
I believe that if there is any way to use only ONE login location you should try to do it that way.
As you yourself said it's quite hard for browsers to determine what to do with stored passwords for sites with multiple login locations. There are possibly other problems and all of them are solved by having exactly one login location.
If you need to provide login from more places, just use redirection. But getting "in" your system should be done from one single place.
Just have one login page and have the other pages on your site linking to it. It keeps it simple for end users as there is only one page and easy for you to manage as you one have one login page.
I found that IE7 maintains same session for multiple tabs in a single browser window and thus doesn't support different sessions for different tabs in a single browser window. My client needs that the application should work perfectly in two different tabs in a single browser window. i think this is because of session and cookie problem. Is there a workaround for this.
Appreciate your help in this regard.
Thanks,
Manoja Swaro
Browser tabs share cookies (and not just in IE, in Firefox and the others as well), and the cookies contain the session ID.
You could switch to cookie-less sessions however this has security and usability concerns. URL based sessions are easily hijacked, and it breaks bookmarking as well, as each page has a unique URL per session.
IE7 doesn't maintain a 'session' as such, you're talking about a cookie with a session ID in it, I would guess. All browsers will have one value for a cookie, it doesn't vary by window/tab.
If you want a session ID to travel with the click trail, you're going to have to pass it from page to page, by (for instance) passing it as a URL parameter and ensuring that you add the parameter to the URL within the page. (Or do without a session.)
The real solution is to change your application so it doesn't assume each session has only one page. An application that can't be open in multiple tabs is broken.
This can be hard if this assumption is already deeply embedded in your code.