如何在Java EE中管理会话?
[英]How can I manage sessions in Java EE?
问题描述
In my Java EE application, I have a problem with sessions. 
在我的Java EE应用程序中,我遇到了会话问题。 Different users can login to the application and the specified user can see the data for which he is authorized. 不同的用户可以登录到该应用程序,指定的用户可以看到他被授权的数据。 He should not be able to see other user data. 他不应该看到其他用户数据。 To differentiate users, we are using Client_ID . 为了区分用户,我们使用Client_ID 。 As soon as the user logs in we are fetching this Client_ID from the database and setting it in session like this: 一旦用户登录,我们就从数据库中获取此Client_ID并将其设置为会话,如下所示:
session.setAttribute("Client_ID",user.getClient_ID())
We access this session value throughout the application and fetching the relevant data to that Client_ID . 我们在整个应用程序中访问此会话值并将相关数据提取到该Client_ID 。 This works fine when users work on a single browser, but the problem is this: 当用户在单个浏览器上工作时,这可以正常工作,但问题是:
Suppose there is a SuperAdmin, who needs to look all the clients under him. 假设有一个SuperAdmin,他需要查看他下的所有客户。 SuperAdmin logs in as client_1 , and again as client_2 . SuperAdmin以client_1身份登录,再次以client_2身份登录。 SuperAdmin has logged in both times using the same browser. SuperAdmin使用相同的浏览器记录了这两次。 When I refresh the client_1 browser, I am seeing the client_2 details, which should not happen. 当我刷新client_1浏览器时,我看到了client_2详细信息,这不应该发生。
I think our application is using the same session for two different logins in the same browser. 我认为我们的应用程序在同一浏览器中使用相同的会话进行两次不同的登录。 What would be solution for this problem? 这个问题会解决什么问题? I should see the correct data for the particular client when I refresh the page. 刷新页面时,我应该看到特定客户端的正确数据。
3 个解决方案
解决方案1
7 2009-04-13 14:42:30
Don't use cookies for storing Session ID, but use request parameter instead. 不要使用cookie来存储会话ID,而是使用请求参数。 So each opened tab will request the own session. 因此每个打开的选项卡都会请求自己的会话。 With cookies you have only one cookie for all tabs in browser. 使用cookie,浏览器中的所有选项卡只有一个cookie。
PS: I think that it's incorrect to log in under 2 or more users within one browser at the same moment. PS:我认为在同一时刻在一个浏览器中登录2个或更多用户是不正确的。 Your application should detect that client_1 is already signed it and restict log in for other users from the same browser until logout. 您的应用程序应该检测到client_1已经对其进行了签名,并且在注销之前还可以从同一浏览器中为其他用户登录。 For example, Google's applications work in such way. 例如,Google的应用程序就是这样运作的。 Also would be great if SuperAdmin have a feature to see client_1 or client_2 data without log in. This will save him/her from remembering dozens of passwords and will increase performance of work (time is moneys, isn't?). 如果SuperAdmin具有在不登录的情况下查看client_1或client_2数据的功能,也会很棒。这将使他/她不会记住几十个密码并且会提高工作效率(时间是金钱,不是吗?)。
解决方案2
1 2009-04-13 15:43:03
If you want multiple tabs within the same browser instance to see different things, then you will have to rework your session management and key things off of the URL. 如果您希望同一浏览器实例中的多个选项卡看到不同的内容,那么您将不得不重新设置会话管理并从URL中删除关键内容。
The session is shared between browser tabs (true for most browsers), so logging in with one tab will affect the sessions for other tabs. 会话在浏览器选项卡之间共享(对于大多数浏览器都是如此),因此使用一个选项卡登录将影响其他选项卡的会话。
解决方案3
1 2009-04-13 16:37:44
The solution is to use roles instead of multiple logins. 解决方案是使用角色而不是多次登录。 You would give client_1 SuperAdmin role, and client 2 doesn't. 您将为client_1提供SuperAdmin角色,而客户端2则不提供。 This would reduce the need to login twice. 这将减少登录两次的需要。
But in any case, you should only allow one user to be logged in at once. 但无论如何,您应该只允许一个用户一次登录。 The process of logging in should invalidate the previous session. 登录过程应使前一个会话无效。 I forget the exact code in Java EE, but it is something like session.invalidate() . 我忘记了Java EE中的确切代码,但它类似于session.invalidate() 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.