How can I use Java to restrict the session to a single browser tab

Question

I don't want the user's HTTP session to be shared between browser tabs.

For example, if a user logged into the system in tab one, he can see all of his profile details. However, when the same URL is hit from another new tab (tab two), it also displays the same user profile details.

I want to restrict the user session to only the first tab opened. If another tab is opened then the session of the first tab should not be used. Is there any way that this can be accomplished?

Answer 1

You can't create the different session for every tabs in your browser.

The below way is used to restrict the user to again login the same application in the another tab of the browser.

This worked for me.

In IE your have to create the New Session in the browser to get login as different different user.

You can restrict the user to not open the URL in another tab by the following steps ,

1. When the user click the login button, Please check the session in your server code as,

    protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { response.setCharacterEncoding("UTF-8"); response.setContentType("UTF"); PrintWriter out = response.getWriter(); request.setCharacterEncoding("UTF-8"); String name = request.getParameter("name"); String password = request.getParameter("password"); boolean loginStatus ; if( (name != null && name.equals("human")) && (password != null && password.equals("human")) ){ loginStatus = true; HttpSession session = request.getSession(); String status = (String)session.getAttribute("status"); if(status != null && status.equals("loggedin")){ // if status is not null , you can justify that , the user is already loggedin in the same session response.sendRedirect("redirect.jsp"); }else{ // If the user is trying to login first time,This will work // do your login work here if(loginStatus){ session.setAttribute("status","loggedin"); RequestDispatcher rd = request.getRequestDispatcher("success.jsp"); rd.forward(request, response); } } }else{ System.out.println("Authentication failed !"); response.sendRedirect("fail.jsp"); } } 

Your redirect.jsp will be,

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"  "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Calculator</title>
</head>

<script type="text/javascript"></script>

<body>
    <h1 style="color:red;"> You are already in logged in state </h1>

</body>

</html>

Hope this trick will work.

Answer 2

you can send each request with a session ID! then get each session by sessionID on server.

Answer 3

I have done that before, although without Java, only JavaScript. This should apply as is to your case, though.

Standard Method

The problem you are hitting is that... you are using a cookie, which is the standard method of allowing someone to log in once, and then go in any one tab and still be logged in. It is the best method in most situations. However, remember that the cookie is sent along each and every hit to the server and that may be very important if you have CSS, JS, IMG, etc. data that is not public.

Separate Sessions

In order to distinguish each tab (page) as a separate session, what you do is use a session identifier in the page, not using cookies. (you may need both to allow private data as mentioned earlier.)

This works well in forms where you can easily create a hidden <input> tag:

<input type="hidden" name="session" value="123"/>

This supposes that you are generating your pages dynamically so each time someone hits that page, you get them a new session (actually you should have a special log in page to get the session, then navigate to the important page that shows you top-secret data...)

However, what you will find out is... YOU are responsible to carry that session identifier manually every where. That can be very tedious (ie NO direct link anywhere works because someone clicking a simple anchor link would not send that special session along, unless you add it as a parameter in the query string... or something of the sort. But then the session is visible in the URL. So using something like jQuery() you would have to capture each link, and if clicked you actually "POST a redirect". As I said, it's quite a bit of work!)

Note also that as soon as the user closes such a page, as far as he's concerned, he's logged out. Yet, the session is still active on the server. To really log the user out, you have to use the onclose event and make sure to send the server a quick notification to ask for the cancellation of the session.

Mixed Method

Using both methods: a hidden input (or whatever tag you want, very easy to retrieve with jQuery code) and the cookie, you may have better luck. That is, you may know that the user is "semi-logged in" with the cookie. Yet, without the session identifier, you do not show certain other top-secret data.