stackoom
  简体   繁体   中英

How can I manage sessions in Java EE?

 原文  2009-04-13 14:12:15       java/ java-ee/ session

Question

In my Java EE application, I have a problem with sessions. Different users can login to the application and the specified user can see the data for which he is authorized. He should not be able to see other user data. To differentiate users, we are using Client_ID . As soon as the user logs in we are fetching this Client_ID from the database and setting it in session like this: 

session.setAttribute("Client_ID",user.getClient_ID())

We access this session value throughout the application and fetching the relevant data to that Client_ID . This works fine when users work on a single browser, but the problem is this:

Suppose there is a SuperAdmin, who needs to look all the clients under him. SuperAdmin logs in as client_1 , and again as client_2 . SuperAdmin has logged in both times using the same browser. When I refresh the client_1 browser, I am seeing the client_2 details, which should not happen.

I think our application is using the same session for two different logins in the same browser. What would be solution for this problem? I should see the correct data for the particular client when I refresh the page.

3 answers

solution1
 7  2009-04-13 14:42:30

Don't use cookies for storing Session ID, but use request parameter instead. So each opened tab will request the own session. With cookies you have only one cookie for all tabs in browser.

PS: I think that it's incorrect to log in under 2 or more users within one browser at the same moment. Your application should detect that client_1 is already signed it and restict log in for other users from the same browser until logout. For example, Google's applications work in such way. Also would be great if SuperAdmin have a feature to see client_1 or client_2 data without log in. This will save him/her from remembering dozens of passwords and will increase performance of work (time is moneys, isn't?).

solution2
 1  2009-04-13 15:43:03

If you want multiple tabs within the same browser instance to see different things, then you will have to rework your session management and key things off of the URL.

The session is shared between browser tabs (true for most browsers), so logging in with one tab will affect the sessions for other tabs.

solution3
 1  2009-04-13 16:37:44

The solution is to use roles instead of multiple logins. You would give client_1 SuperAdmin role, and client 2 doesn't. This would reduce the need to login twice.

But in any case, you should only allow one user to be logged in at once. The process of logging in should invalidate the previous session. I forget the exact code in Java EE, but it is something like session.invalidate() .

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to manage java ee transactions? AWS EC2 Tomcat Java Webapp - How can I manage bot http sessions How to isolate user sessions in a Java EE? Java EE / Struts persistent sessions How can I use an Java EE API in a Java project? How should i manage Sessions and Transactions in hibernate? How can I manage users' sessions when I use web services? How can I externalize a PDF from a Java EE application? How can I get the name of the current web app in Java EE? How to manage transaction for database and file system in Java EE environment?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM