1

This is not strictly a GWT question, but since the context I'm getting this question out of is GWT. I included the GWT and servlet tags.

Since multiple requests can belong to the same session, and each request has a remote user associated it (null or non-null), it makes me wonder if it's possible to have different users in a session.

Let's say a user logs in, logs out and relogs in using a different account, are we still in the same session on the server side?

EDIT to address the ambiguities raised by BalusC's answer: - I'm not asking about having multiple users "at the same time". The question is whether it's possible to have more than one users to ever enter the same session.

RAY
  • 6,810
  • 6
  • 40
  • 67

1 Answers1

3

Your question is rather ambiguous.

Is it possible to have multiple users in the same HTTP session

That depends on how you define "user".

If it's the logged-in user (which is usually stored in / associated with the HTTP session), then that's not possible. There can be only one at the same time.

However, if it's the client, then it's definitely possible to have multiple clients sharing the same session (and inherently also exactly the same logged-in user). This can be achieved via session fixation attack which can be performed with help of cross site scripting. Basically, when multiple clients use exactly the same JSESSIONID cookie.

Let's say a user logs in, logs out and relogs in using a different account, are we still in the same session on the server side?

This is essentially a different question than the one asked in the title. There's strictly no means of "multiple users in the same session" here when considering "at the same moment".

In any way, when the logout does not invalidate the session, which goes against "common practice", then this is indeed quite possible.

See also:

Community
  • 1
  • 1
BalusC
  • 1,082,665
  • 372
  • 3,610
  • 3,555