Multiple User Sessions

[paulfischer]

My app needs to allow the user to create multiple sessions in separate browser windows with different session attributes. The authentication passes a variable called "profile" which is used to determine the user authorities in terms of which reports are visible and what data will be returned from the DB queries.

User opens window (1) with profile (A),
User opens window (2) with profile (B),
User switches back to window (1), and the session attributes contain the values from window (2). But I would like window (1) to have profile (A) and window (2) to have profile (B).

I set the tag in my config, but it did not solve the problem.
<security:session-management session-fixation-protection="newSession"/>

I store the "profile" attribute in a custom token based on UsernamePasswordAuthenticationToken and then retrieve it from the SecurityContextHolder as needed.

I have searched and found many posts on how to limit the user sessions, but I have found nothing that addresses multiple sessions with different session attributes. I appreciate any help.

Thanks,
Paul

[Marten Deinum]

Make sure you really have a NEW browser window... You don't open a new browser by pressing CTRL+N, that simply opens another browser window and copies all the state. So that way you don't have 2 really separate browser windows, I suspect if you start a chrome session and firefox session with the same scenario it runs without problems (the same for 2 fresh browser instances of the same type of browser).

CTRL+N is basically a very expensive new tab for browsing.

[paulfischer]

Marten, thanks for your reply. I realize that what I am trying to do will not work because the session is shared between the browser windows and tabs. So instead (for now), I will take the "profile" value which is received from the login request and persist it in the Flex app on my home page and send the value to each of the backend services which are based on profile.