Re: need help with sessions

Petr,

When you are using cookies for session management, if the user opens another
browser window, it will use the same cookie as the first window.  If the
user logs out in one window and logs in as a different user, the original
window will now also use the new session.  If you pass the session id as
part of the url (rather than via cookies), this isn't an issue.

If, instead of opening the second window, the user executes a new instance
of the browser, then the two windows will allow completely different
sessions to be maintained.

Detecting when a user has 'left' a session cannot be done, to the best of my
knowledge, by direct means.  If the user hasn't explicitly logged out, you
have to wait for a period of inactivity and then assume he's gone.

HTH,

Terry


----- Original Message -----
From: "Petr Stehlik" <pstehlik@xxxxxxxxxx>
To: <enhydra@xxxxxxxxxxx>
Sent: Tuesday, November 26, 2002 10:01 AM
Subject: Enhydra: need help with sessions


> Hi,
>
> I have been using the modified Enhydra session management for some time
> but recently I ran into problems with people that don't close their
> browser window and visit my site under a different name but still with
> the original cookie (=session ID).
>
> Is there somebody who could explain me the idea behind some of the
> functions of the BasicSession class? Things like
>
> - why and when to use RefCount (decrementRefCount, incrementRefCount)
>
> - difference between User and SessionData and their purpose
>
> Also, when is it safe to call the deleteSession() and createSession() of
> the SessionManager? I have a check for re-used session ID in the
> StandardApplication.requestPreprocessor() but when I deleted and
> recreated the session at that place it wasn't much happy.
>
> Basically what I am trying to do is to throw away the original session
> ID in the cookie and create a new session ID as soon as I detect a new
> user. If I don't do that the users often have several windows open with
> different "identities" and then confuse my user management badly
> (imagine that somebody logged in as Joe Average User With No Privileges
> logs in again in another window of the same browser, to a different
> account (say Root) with higher privileges and then goes back to Joe
> Average's window and start screwing things up there thanks to recently
> gained Root's privileges.
>
> Thanks in advance for help.
>
> Petr
>
>
> _______________________________________________
> Enhydra mailing list
> Enhydra@xxxxxxxxxxx
> http://www.enhydra.org/mailman/listinfo.cgi/enhydra
>