Multiple windows with one user

[garyfisher]

Now I now how to avoid the situation if a user wants to perform a second login. I would use ConcurrentSessionController. But does anyone know how to solve situation when user creates a new window (ie Ctrl+N) and it causes all session cookies to copy to this new window? What if I would like to prevent this thing and enable only one browser window per logged user.

Thanks.
Sorry if this is not related to Acegi Security

[Luke Taylor]

This is a client-side issue so I don't believe you can do anything about a user opening a second window unless you use Javascript or something. You could probably use some kind of URL-rewriting with a sequence number or token to detect the problem.

In any case you will have to protect against them starting a new browser window in a different process, launching a different browser or logging on from a different machine. So you'll need to use ConcurrentSessionController too.

Luke.

[Ben Alex]

That's a tricky requirement to satisfy. As Luke said, you'll need to do something fancy with URL rewriting or sequence numbers to make it work. Perhaps a Filter than sends a cookie containing the current URL they are looking at. Store that current URL in HttpSession. Upon the next request, ensure the current URL matches. Thus as soon as their second browser page deviates from the path of the first browser page, you'll be able to detect it. Don't forget to encode the cookie, a bit like we did in TokenBasedRememberMeServices, otherwise people can override your solution by modifying cookies on the client-side at each request. Unlikely, but possible.