Last post Jun 27, 2013 11:34 AM by subhajyoti.ece
Jun 27, 2013 09:13 AM|subhajyoti.ece|LINK
I have an application where the start page is appended with a querystring parameter which equals to a unique sessionID (with SessionIDManager class), if it does not already contain one. In subsequent trips to the page retains the same session ID. I append
this querystring parameter to all other session variable names to retain their uniqueness. But if any user gets to know the sessionID of any other user, he/she is able to login (login is allowed for authenticated OS users.) to the same URL. Even a user can
open multiple tabs of the same browser with same sessionID and this creates abnormal behavior on the application functionalities (as session objects are no longer unique).
I am trying to derive a mechanism to restrict other users/same user in different tab to use the same sessionID. All tabs should have their unique session IDs to achieve expected behavior from subsequent pages. If user tries to open the URL with an existing
sessionID, it should automatically redirect user to the same page after creating a new sessionID and passing it as the new querystring parameter.
Jun 27, 2013 11:06 AM|BrockAllen|LINK
Yep, this is a classic, hard problem. I'd suggest using sessionStorage in the browser to distinguish between browser tabs. Also, allowing a query string param to auth users is dangerous -- you should use a cookie.
Jun 27, 2013 11:34 AM|subhajyoti.ece|LINK
Actually users will be able to login to the application only when they have a valid domain user ID and they have a flag set as true in a database. I am not sending anything through sessionID related to user login. I am storing many objects in session variables
and as I have a requirement to enable users use tabbed browing and still be able to do different transactions, I am creating a unique session on first page load and doing response.redirect with that sessionID as queryString. Thereafter I am using it to create
session variables with that (example: Session[Requet.querystring["sessionID"]]) to maintain uniqueness, otherwise due to browser's inherent session sharing behavior, users might see data registered from a different tab. The application is perfectly working
as long as users are using the URL given to them. But if users want, they can use the full URL from a different tab (with sessionID) and create abnormal behavior. I want to prevent them from doing this. Any more suggestion from your experience will be highly