3

How to NOT share session between multiple browser tabs ?

I am using Spring Security in JSP/Servlet application and I want to know "How can we achieve the behavior with Spring Security where user is forced to login again whenever he changes the browser tab ?".

Disclaimer Question is similar to this Question and this question, but since both the questions are too old (i.e. 4,7 years old) I am sure there must be some way to achieve that today, isn't it ?

Community
  • 1
  • 1
Amit
  • 13,134
  • 17
  • 77
  • 148
  • 1
    why do you need to do this? – Neil McGuigan Jun 05 '15 at 17:07
  • @NeilMcGuigan I want to force user to login again if user changes browser tab.. – Amit Jun 08 '15 at 03:41
  • I've added an answer - however it is to the [question you linked](http://stackoverflow.com/a/30711951/413180) as it is not specific to spring. – SilverlightFox Jun 08 '15 at 14:35
  • Follow this Link maybe this code will help: http://stackoverflow.com/a/14177653/4610470 –  Jun 19 '15 at 12:29
  • what should happen with the old tab? – artur grzesiak Jun 19 '15 at 19:07
  • The both solutions of using session storage and window.name via javascript allow you to uniquely identify a different tab/a new tab. However, you did not mention clearly what will happen if a new tab is opened. Both solutions will allow you to 1. Each new tab will run a new session - multiple logins/different sessions 2. Expire the parent/all sessions when new tab opened - as mentioned in the question where user will be forced to login again 3. If new tab is opened, user will be acknowledged to use the first opened tab. – CalebC Jun 22 '15 at 02:02

2 Answers2

11

On successful login put some value in sessionStorage.setItem('userId',userId) and when ever user open new tab and tries to login check if sessionStorage.getItem('userId') is available if null it means it is a new tab / redirect to login page.

Session storage is tab specific and data are not shared between different tabs. Session storage runs in modern browser.

check this link for details

Try below code

On successful login add this below code

<script>

  if(typeof(Storage) !== "undefined") {
      sessionStorage.setItem("uniqueIdSessionStorage", "xyz");
  }
</script>


sessionStorage.getItem('uniqueIdSessionStorage') // this will be a tab specific you will not get xyz for other tabs.

1) Check if sessionStorage.getItem('uniqueIdSessionStorage') is not null, if null means new tab and new user.

2) On server side always store session attributes like below code

 session.setAttribute("userId"+UniqueValuePerUser,userId);

3) This way you can have multiple login with single session object for every user key will be unique.

4) Pass sessionStorage value server side somehow in request Parameter. One way is to send in url or somewhere hidden in input.

5) Now if you get 12345 value from tab. Then get details from session using below code

String uniqueId= request.getParameter("uniqueId"); // value will be 12345
session.getAttribute("userId"+uniqueId);

and if you get 45678 value from tab then 

String uniqueId= request.getParameter("uniqueId"); // value will be 45678
session.getAttribute("userId"+uniqueId) // and other details from session using unique id;

6) This way with unique key in single session you can achieve multiple login but if one logout and you invalidate session other user will also get logged out because session object is one with unique key.

7) Instead of invalidate session remove that particular key from session.

session.removeAttribute("userId"+uniqueId);
pise
  • 849
  • 6
  • 24
  • 51
  • This looked like a good and cleaver thing to do however when I started implementing it wasn't really. In second tab when sessionStorage parameter wasn't sent. If we create a new session using request.getSession(true) it will just destroy the session if the first tab. Is is it that you suggested ? Or I did something wrong ? – Amit Jun 18 '15 at 09:42
  • @Amit sessionStorage has nothing to do with server side session. It is just a cookie which is not share between the tab. I will post some code for you. – pise Jun 18 '15 at 10:33
  • I got the thing about sessioStorage, I am just wondering how can we use the client's value to tell server "Start a new session buddy".. I am not able to get this point. – Amit Jun 18 '15 at 10:35
  • @Amit I have posted code for multiple login. Do not create new session instead use same session and save both user value in single session with some unique key as I have mentioned in answer. – pise Jun 18 '15 at 11:14
  • @pise I think you deserve much more visibility, but this answer is not very clear, can you review it? – Jacopo Dec 11 '15 at 09:30
  • this does not work when press back holding ctrl key, the session storage is shared. – elporfirio May 09 '18 at 20:29
0

Put below script on first page after login

<script>
    window.name = 'appname';
</script>

check following on all the other pages:

if (window.name != 'appname'){
    window.location = "/login.jsp";
}

If user will try to open the new tab, script will take user to login page.

Atif AJ
  • 9
  • 1
  • 1
    But how the server will handle the request from the second tab ? If we create a new session won't it destroy the first Tab's session ? – Amit Jun 18 '15 at 09:44