How can I manage sessions in Java EE?

Question

How can I manage sessions in Java EE?

In my Java EE application, I have a problem with sessions. Different users can enter the application, and the specified user can see the data for which he is authorized. It should not see other user data. To distinguish between users, we use Client_ID . As soon as the user logs in, we will extract this Client_ID from the database and set it in the session as follows:

 session.setAttribute("Client_ID",user.getClient_ID())

We access this session value throughout the application and retrieve the appropriate data for this Client_ID . This works great when users are running in the same browser, but the problem is this:

Suppose there is a SuperAdmin that needs to look for all the clients under it. SuperAdmin registers as client_1 and again as client_2 . SuperAdmin logged in both times using the same browser. When I update the client_1 browser, I see client_2 details that should not be.

I think our application uses the same session for two different logins in the same browser. What will be the solution to this problem? When I refresh the page, I should see the correct data for a particular client.

+4

java java-ee session

Mahesh Apr 13 '09 at 14:12

source share

3 answers

ruslan · Answer 1 · 2009-04-13T14:42:30+0000

Do not use cookies to store the session ID, but use the request parameter instead. Thus, each open tab will request its own session. With cookies, you only have one cookie for all tabs in your browser.

PS: I think it’s incorrect to log in under two or more users in the same browser at the same time. Your application should detect that client_1 has already signed it, and log out to log in to the system for other users from one browser before logging out. For example, Google apps work this way. It would also be great if SuperAdmin had the ability to view client_1 or client_2 data without logging in. This will save him / her from remembering dozens of passwords and increase productivity (time is money, no?).

jsight · Answer 2 · 2009-04-13T15:43:03+0000

If you want several tabs in the same browser instance to be able to see different things, you will have to redo the session management and key events from the URL.

A session is divided between browser tabs (true for most browsers), so logging in with one tab affects sessions for other tabs.

Steve McLeod · Answer 3 · 2009-04-13T16:37:44+0000

The solution is to use roles instead of multiple logins. You must specify the role client_1 SuperAdmin, and client 2 not. This will reduce the need to log in twice.

But in any case, you should allow only one user to log into the system at a time. The login process should cancel the previous session. I forgot the exact code in Java EE, but it is something like session.invalidate() .

How can I manage sessions in Java EE?

More articles: