I have added as many safeguards as I could think of to discourage users from logging into my application from multiple tabs. Unfortunatley, some information has the potential to be overwritten, because of the way sessions are used. My safeguards have
been effective on multiple tabs, but not multiple separate windows.
Is there a way to kill the session when another instance of the app is started on the same computer?
We just upgraded to IE9, but this was a problem in previous versions of IE as well.
We're also using ASP state for session management - I thought I would mention it, in case there is a way for it to be useful.
Unfortunately this is a very hard problem to solve. The real answer (which you're not going to like) is to not use Session state for state management for data that needs to be per-tab. Ultimately you will just need to educate users to not open multiple tabs.
As an alternative you can look into using WebStorage which is a client-side state management implementation. There are two parts: sessionStorage and localStorage. sessionStorage is per-tab (which is what you're looking for it seems) and goes away when the
tab is closed. localStorage is persistent and is shared across tabs and the persistence is under the user's cookie policy. Don't know if these help, but it's what more modern apps are using to manage state in lieu of session state.
Yes, I agree. Our user authentication system is session-based, so that permission info will persist throughout the application. There is nothing wrong with the security info currently . . .
However, in some places I have also used sessions to store unique identifiers for records. That's where the problem is. If 2 windows are open, and 2 different records are open in those windows, one record could be updated with the other info.
So, can I ask you specifically, since I am planning out the solution now . . .
And I realize this could be a really basic question I'm asking, if so, sorry . . .
I pass the unique ID in the URL as paramter, and then retrieve it in codebehind as querystring get the data, load the data, etc. I think I originally stored the ID as session var in case the paramater in the URL was ever tampered with. What would a good
alternative be? I could shove the unique ID in a hidden field, and then retrieve it before the update? Or is there a better way?
However, in some places I have also used sessions to store unique identifiers for records. That's where the problem is. If 2 windows are open, and 2 different records are open in those windows, one record could be updated with the other info.
Yep, this is the exact pain point.
So yes, I'd suggest if possible passing the ID as a query string paramater so each tab could have a different ID, and thus the page doing the update will only work with the ID passed to it. The real problem is that if you determine the ID on one page then
several pages later you then need to do the update. In essense you need to pass that ID page to page to page until you get to your update. You could code your app to pass this along as a query string to every page... but that's tedious. The other approach
is to use web storage (sessionStorage I mentioned above) to keep track of that ID per-tab. The difference in style is that this will need to be done in JavaScript. And then when you get to the final request where you pass the ID to the server your JavaScript
will have to pass the ID. This is the best I got for ya. Sorry we don't have a better solution, but like I said it's a very hard problem to solve and that's why there's no built-in answer in ASP.NET.
I figured. Fortunately I don't have many places where updates happen more than one page down. So I can change that easily enough when it's the ID, but what about storing a whole datatable in a session var? I may do that to load a gridview a little faster
upon return trips. There could still be problems with that in multiple browser windows, yikes! That's alot more work - any suggestions?
carriehoff
Member
37 Points
32 Posts
Stop IE9 from sharing session in multiple windows
Mar 12, 2012 05:18 PM|LINK
Hi all!
I have added as many safeguards as I could think of to discourage users from logging into my application from multiple tabs. Unfortunatley, some information has the potential to be overwritten, because of the way sessions are used. My safeguards have been effective on multiple tabs, but not multiple separate windows.
Is there a way to kill the session when another instance of the app is started on the same computer?
We just upgraded to IE9, but this was a problem in previous versions of IE as well.
We're also using ASP state for session management - I thought I would mention it, in case there is a way for it to be useful.
Thank you,
Carrie
BrockAllen
All-Star
27574 Points
4912 Posts
MVP
Re: Stop IE9 from sharing session in multiple windows
Mar 12, 2012 06:30 PM|LINK
Unfortunately this is a very hard problem to solve. The real answer (which you're not going to like) is to not use Session state for state management for data that needs to be per-tab. Ultimately you will just need to educate users to not open multiple tabs.
As an alternative you can look into using WebStorage which is a client-side state management implementation. There are two parts: sessionStorage and localStorage. sessionStorage is per-tab (which is what you're looking for it seems) and goes away when the tab is closed. localStorage is persistent and is shared across tabs and the persistence is under the user's cookie policy. Don't know if these help, but it's what more modern apps are using to manage state in lieu of session state.
Oh and here's the URL for info on WebStorage.
DevelopMentor | http://www.develop.com
thinktecture | http://www.thinktecture.com/
carriehoff
Member
37 Points
32 Posts
Re: Stop IE9 from sharing session in multiple windows
Mar 12, 2012 08:33 PM|LINK
Yes, I agree. Our user authentication system is session-based, so that permission info will persist throughout the application. There is nothing wrong with the security info currently . . .
However, in some places I have also used sessions to store unique identifiers for records. That's where the problem is. If 2 windows are open, and 2 different records are open in those windows, one record could be updated with the other info.
So, can I ask you specifically, since I am planning out the solution now . . .
And I realize this could be a really basic question I'm asking, if so, sorry . . .
I pass the unique ID in the URL as paramter, and then retrieve it in codebehind as querystring get the data, load the data, etc. I think I originally stored the ID as session var in case the paramater in the URL was ever tampered with. What would a good alternative be? I could shove the unique ID in a hidden field, and then retrieve it before the update? Or is there a better way?
Thanks,
Carrie
BrockAllen
All-Star
27574 Points
4912 Posts
MVP
Re: Stop IE9 from sharing session in multiple windows
Mar 12, 2012 08:52 PM|LINK
Yep, this is the exact pain point.
So yes, I'd suggest if possible passing the ID as a query string paramater so each tab could have a different ID, and thus the page doing the update will only work with the ID passed to it. The real problem is that if you determine the ID on one page then several pages later you then need to do the update. In essense you need to pass that ID page to page to page until you get to your update. You could code your app to pass this along as a query string to every page... but that's tedious. The other approach is to use web storage (sessionStorage I mentioned above) to keep track of that ID per-tab. The difference in style is that this will need to be done in JavaScript. And then when you get to the final request where you pass the ID to the server your JavaScript will have to pass the ID. This is the best I got for ya. Sorry we don't have a better solution, but like I said it's a very hard problem to solve and that's why there's no built-in answer in ASP.NET.
DevelopMentor | http://www.develop.com
thinktecture | http://www.thinktecture.com/
roopeshreddy
All-Star
20155 Points
3328 Posts
Re: Stop IE9 from sharing session in multiple windows
Mar 13, 2012 11:06 AM|LINK
Hi,
If you want new session in the same computer than do the following!
Launch IE,
File - > New Session
Roopesh Reddy C
Roopesh's Space
carriehoff
Member
37 Points
32 Posts
Re: Stop IE9 from sharing session in multiple windows
Mar 13, 2012 02:04 PM|LINK
I figured. Fortunately I don't have many places where updates happen more than one page down. So I can change that easily enough when it's the ID, but what about storing a whole datatable in a session var? I may do that to load a gridview a little faster upon return trips. There could still be problems with that in multiple browser windows, yikes! That's alot more work - any suggestions?
Thanks.