How can I manage sessions in J2EE?

Question

In my J2EE application, I have a problem with sessions. Different users can login to the application and the specified user can see the data for which he is authorized. He should not be able to see other user data. To differentiate users, we are using Client_ID. As soon as the user logs in we are fetching this Client_ID from the database and setting it in session like this:

session.setAttribute("Client_ID",user.getClient_ID())

We access this session value throughout the application and fetching the relevant data to that Client_ID. This works fine when users work on a single browser, but the problem is this:

Suppose there is a SuperAdmin, who needs to look all the clients under him. SuperAdmin logs in as client_1, and again as client_2. SuperAdmin has logged in both times using the same browser. When I refresh the client_1 browser, I am seeing the client_2 details, which should not happen.

I think our application is using the same session for two different logins in the same browser. What would be solution for this problem? I should see the correct data for the particular client when I refresh the page.

Answer 1

Don't use cookies for storing Session ID, but use request parameter instead. So each opened tab will request the own session. With cookies you have only one cookie for all tabs in browser.

P.S.: I think that it's incorrect to log in under 2 or more users within one browser at the same moment. Your application should detect that client_1 is already signed it and restict log in for other users from the same browser until logout. For example, Google's applications work in such way. Also would be great if SuperAdmin have a feature to see client_1 or client_2 data without log in. This will save him/her from remembering dozens of passwords and will increase performance of work (time is moneys, isn't?).

Answer 2

The default session management in a web application will automatically use cookies to do what you want. Just keep state in objects stored in session scope and you should not see this behaviour.

Answer 3

If you want multiple tabs within the same browser instance to see different things, then you will have to rework your session management and key things off of the URL.

The session is shared between browser tabs (true for most browsers), so logging in with one tab will affect the sessions for other tabs.

Answer 4

The solution is to use roles instead of multiple logins. You would give client_1 SuperAdmin role, and client 2 doesn't. This would reduce the need to login twice.

But in any case, you should only allow one user to be logged in at once. The process of logging in should invalidate the previous session. I forget the exact code in J2EE, but it is something like session.invalidate().