4 Replies Latest reply on Jun 13, 2003 8:22 AM by Alexander Jesse

    Authentication (user login)

    Yanik Crépeau Newbie

      I have just discovered that if I open two (2) browser windows connecting to Nukes, I can not log in using two (2) distinct user names.

      Even worse, the page.getSession(); call seem to return the same HttpSession object.

      Tested: With Internet Explorer (Windows).

      I also tested using Lynx on Linux using the screen utility to have many instances of Lynx running at the same time. In that case, I had distinct sessions without any interference of one against another one.

      The problem is clearly linked with two (or more) instances of Internet Explorer running on the same machine.

        • 1. Re: Authentication (user login)

          that's on purpose, the cookie jsessionid used has the property to do that. is that a problem for you ?

          otherwise the remember me will not work. the problem is that once a cookie has been sent, it's lifetime cannot be changed anymore.


          • 2. Re: Authentication (user login)
            Hezekiel Newbie

            The problem you describe is probably caused by the way Internet Exploder handles cookies. The session id is stored in the cookie and different instances of IE share this information when 'pointing' to the same site.

            Do not consider circumventing this problem by sending the session id in URL... Bad practice.

            • 3. Re: Authentication (user login)
              Yanik Crépeau Newbie

              In another project (where JBoss is not involved) one of our manager has a dual role: manager and regular user. He wants to have two (2) distinct ids and sometime he wants to have a window opened with his manager id and another window with his regular user id.

              In another circomstances it could be usefull to have two windows with two different ids just for testing purpose.

              The "Remember me" mecanism is very nice but when someone chooses to NOT use it, the system should not be limited or restricted the way Julien has described. When the "Remember me" is not checked, the cookie's expiration date should be set to zero (meaning as soon the user close the window) and when the user log out, the cookie should be remove and the session invalidated.

              In fact, the "Remember me" cookie (with a long period of existence) should be distinct of the SessionId cookie.The Remember me cookie would be handled by Nukes and the SessionId cookie by the Jetty/Tomcat engine itself. It is clear that when a user log in (not using the "Remember me" mecanism) a new session is created.

              • 4. Re: Authentication (user login)
                Alexander Jesse Newbie

                How do you open the second browser window?

                In my experience you can logon to applications using true servlet-sessions (and not the concept used by most *nukes: ip-address...) by starting two instances of the browser.

                If you press "ctrl-n" in your browser this normally gives you a second window, but no second instance. If you (windows...) double-click a second time on the browser's icon, this usually gives you another instance with separate cookie-management.
                A possible problem might be, if you use persistant cookies. I know the above description works perfectly when I have cookies that are only valid for the actual session...