IE 7, tabs and HTTP sessions

Question

In our Java web application we use HTTP sessiom for log in. Pretty standard stuff I think. Lately we got a report from a customer which says that the log in often disapears causing the user to log in againg (and sometimes looses any work).

Acording to the customers this never happens when using OS X - Firefox 3

The problem occours when the customer has several tabs open at once.

I have to get some more info from the customer, but my first thought was that may be the http sesion timed out (30 minutes I think).

My second thought was since IE 7 shares the session between tabs, the customer could have:

1.logged in to the administraion console in the default tab 2.logged in to the web front end in a second tab "overwriting" the first session.

As I said above I do not have more info from the customer to reproduce this, but I find the whole thing a bit weird since we have never heard of it before.

Does anyone here had similar experiences? It sounds like a customer problem :) but I am just curious,

Thanks in advance,

pokemon

Answer 1

Yes, we hear of this type of problem from time-to-time, and it tends to be caused by the scenario you came up with.

You can have the customer try to grab a trace (see www.fiddlercap.com) to better troubleshoot this type of issue in production.

Answer 2

since IE 7 shares the session between tabs

All browsers I know share cookies (and thus sessions) among all its tabs and windows. IE has the annoying feature that hitting Ctrl-N for a new window actually opens an additional window for the current URL (whereas most other browsers just open a blank window, or show the homepage). I guess this also applies to hitting Ctrl-T to open a new Tab?

So, things may be more confusing in IE, but should be no different for other browsers. And opening an additional window by itself should not invalidate any cookie. (Your web application may use some JavaScript to invalidate the session when a window is closed, but I guess you'd know about that.)

In all well-known browsers (for sure including Firefox on OS X), opening multiple windows using different login credentials will probably confuse your web application, as most web applications are not built to support multiple logins using the same cookie (thus: for the same domain). Using different browsers for each login solves this. Also, setting up some admin.example.org domain (referring to the very same server IP address) may help separating the cookies for the normal login and the admin login, without the need to change the server side code.

Earlier versions of Internet Explorer seemed to have some issues with cookies expiring too soon when the time zone on the client did not match the actual time zone for that client. When choosing the wrong time zone, people actually set their clock to a wrong time to make up for the difference. This confuses some cookie mechanisms (probably only if the value of the cookie itself would also hold some timestamp), especially when daylight saving time on the client would start or stop on a different date than on the server.