views:

313

answers:

3

I have ASP.net application that is basically a data entry screen for a physical inspection process. The users want to be able to have multiple browser windows open and enter data from multiple inspections concurrently. At first I was using cookie based sessions, and obviously this blew up.

I switched to using cookie-less sessions, which stores the session in the URL and in testing this seemed to resolve the problem. Each browser window/tab had a different session ID, and data entered in one did not clobber data entered in the other.

However my users are more efficient at breaking things than I expected and it seems that they're still managing to get the same session between browsers sometimes. I think that they're copying/pasting the address from one tab to the other in order to open the application, but I haven't been able to verify this yet (they're at another location so I can't easily ask them).

Other than telling them don't copy and paste, or convince them to only enter one at a time, how can I prevent this situation from occurring?

+1  A: 

Think of using ViewState instead of Session, since ViewState renders state information to the client (HTML page). I'm not sure if you'll ever be able to gain detailed control over the browser's session behavior, because the session ID is maintained by the browser the way the manufactured did it. So ViewState does what you want more reliably (formerly: is more secure), also to keep it working on further versions of browsers.

Cheers Matthias

Mudu
Just to clarify, by 'secure', I'm guessing you don't mean from an hacker attack perspective.
keyboardP
No, not at all, you're right. I edited the post.
Mudu
A: 

Must the users be logged in with different accounts to access different physical inspections? It seems to me that as long as the PhysicalInspectionID is part of the URL, then there should be no problem in editing multiple physical inspections at the same time.

E.g.,

http://inspections.mydomain.com/edit/23

Of course, if they copy the URL, they will get a duplicate of the other window, but this will teach them not to do that. Instead, they open another window and browse to the proper inspection (or add a new one) via the UI.

RedFilter
A: 

Create a new sessionId when the request has no referer. That solves the copy-paste url problem. Store the sessionId in the url like you did.

Mika Kolari