Nov 12th, 2009, 06:56 PM
Multiple sessions causing issues
I am having this weird problem where in the user attributes (essentially the Authentication object) is getting lost. Appears to happen sometimes on FF and IE and aggressively on Safari and Chrome.
1. User logs in to application and is redirected to home page. A session is created and the Authentication object with user information is associated with this session. So, when I get the SecurityContext and query for the Authentication object, it all looks good.
2. The home page loads images, scripts, flash components and makes protected api calls.
3. The problem: Many of the images, scripts, api calls occur on the session that was created, which is good. However, the browser (I guess), creates a few more sessions (probably trying to be fast) and begins to load images, make api calls etc using the new sessions. The Authentication object that was available via the SecurityContext in the original session appears not be associated with the new sessions and as a result, the server code thats processing the protected api calls (for example) doesn't know who the caller/user is.
Like I mentioned, in Safari and Chrome, the problem is acute. Is there something I can use that handles this situation? Just before I started to write this message, I saw something about ConcurrentSessionController/Filter. Is that something that could be used? (the name sounds promising...)
Thanks for your time.
Nov 13th, 2009, 08:06 AM
The security context is tied to the session. It's up to you to make sure that your application establishes a single authenticated session before making multiple requests. You don't typically want a single user creating multiple sessions at once as that's not an efficient use of resources.
Browsers don't create sessions, the server does. Where possible, you should make sure that requests for images, scripts etc are stateless and don't create sessions.
Nov 13th, 2009, 03:18 PM
Thank you for your response.
Let me try the Tomcat forum and find out if there is a way to control the sessions created.
Alternatively, I suppose I could dynamically append the original jsessionid to all urls on the page (images, api calls etc) and that should keep them all in the same session. That should make the security context available to all calls, I think. Your thoughts?
If I do end up adopting the append jsessionid approach, are there any security issues or is that acceptable?
Thanks for your time.
Tags for this Thread