0

In my web application, I am using Cookie Based session, and thus that session is being shared among all browser tabs, Is there a way to restrict user to have access of application in one tab at a time with the use of tokens(Token Interceptor)? Opening up in a new tab will invalidate the previous tab pages (i.e all application jsp pages including login page)

Ashish Kataria
  • 520
  • 3
  • 11
  • 31

1 Answers1

0

In short this is not possible and only solution which come to my mind is force user to use a single instance of your application by writing URLs on the fly use a sessionID. I am not sure why you need this and what exactly is your use case.If i am correct there is such feature in spring security which help us to keep only one instance per logged in user and all you need to set a property in your spring-security xml file like

<session-management>
        <concurrency-control max-sessions="1" />
</session-management>

For details refer to these threads

Community
  • 1
  • 1
Umesh Awasthi
  • 23,407
  • 37
  • 132
  • 204
  • I don't want to have tab based separate sessions. Let it be one session being shared among all tabs. what about using struts token in forms..This way i can achieve it for one specific form, Let's say if the same form is opened again in second tab, then the form token will expire for previous first tab. I want to know, some way to achieve it for entire application, if possible?? – Ashish Kataria Aug 27 '12 at 10:28
  • can you explain what exactly you want to achieve? – Umesh Awasthi Aug 27 '12 at 10:31
  • Why i want to achieve this, In case user closes the browser tab without logging out(killing the session).. Next time, it can go in some wrong hands as session is still there. i want to have proper authentication every time..so what i could think of is token based forms for entire application..how to achieve it in struts, any ideas? – Ashish Kataria Aug 27 '12 at 10:42
  • this is nothing to related to S2 than,you need to send some kind of message to the server moment your user close the last browser window and than all you need to invalidate session. – Umesh Awasthi Aug 27 '12 at 10:43