Results 1 to 3 of 3

Thread: Multiple sessions causing issues

  1. Nov 12th, 2009, 06:56 PM #1
    thar
    thar is offline Junior Member
    Join Date
    Nov 2009
    Posts
    2

    Default Multiple sessions causing issues

    Hello all,
    I am having this weird problem where in the user attributes (essentially the Authentication object) is getting lost. Appears to happen sometimes on FF and IE and aggressively on Safari and Chrome.

    1. User logs in to application and is redirected to home page. A session is created and the Authentication object with user information is associated with this session. So, when I get the SecurityContext and query for the Authentication object, it all looks good.

    2. The home page loads images, scripts, flash components and makes protected api calls.

    3. The problem: Many of the images, scripts, api calls occur on the session that was created, which is good. However, the browser (I guess), creates a few more sessions (probably trying to be fast) and begins to load images, make api calls etc using the new sessions. The Authentication object that was available via the SecurityContext in the original session appears not be associated with the new sessions and as a result, the server code thats processing the protected api calls (for example) doesn't know who the caller/user is.

    Like I mentioned, in Safari and Chrome, the problem is acute. Is there something I can use that handles this situation? Just before I started to write this message, I saw something about ConcurrentSessionController/Filter. Is that something that could be used? (the name sounds promising...)

    Thanks for your time.
  2. Nov 13th, 2009, 08:06 AM #2
    Luke Taylor
    Luke Taylor is offline Senior Member Acegi Security System TeamSpring Team
    Join Date
    Aug 2004
    Location
    Glasgow, Scotland
    Posts
    3,449

    Default

    The security context is tied to the session. It's up to you to make sure that your application establishes a single authenticated session before making multiple requests. You don't typically want a single user creating multiple sessions at once as that's not an efficient use of resources.

    Browsers don't create sessions, the server does. Where possible, you should make sure that requests for images, scripts etc are stateless and don't create sessions.
    Spring - by Pivotal
    twitter @tekul
  3. Nov 13th, 2009, 03:18 PM #3
    thar
    thar is offline Junior Member
    Join Date
    Nov 2009
    Posts
    2

    Default

    Luke,
    Thank you for your response.

    Let me try the Tomcat forum and find out if there is a way to control the sessions created.

    Alternatively, I suppose I could dynamically append the original jsessionid to all urls on the page (images, api calls etc) and that should keep them all in the same session. That should make the security context available to all calls, I think. Your thoughts?

    If I do end up adopting the append jsessionid approach, are there any security issues or is that acceptable?

    Thanks for your time.
« Previous Thread | Next Thread »

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules