sounds almost like some MetaFrame connection or something, then running the app on that particular machine. Is that what's going on here?
-----Original Message----- From: Christopher Schultz [mailto:[EMAIL PROTECTED] Sent: Thursday, June 28, 2007 8:20 AM To: [EMAIL PROTECTED] Cc: Tomcat Users List Subject: Re: OT: Sessions -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Vasu, [EMAIL PROTECTED] wrote: > The application has pretty decent authentication mechanism that > differentiates between users, roles and permissions etc. What the > application need to maintain is user object information specifically > - name, role, dept - to be used across other pages of the > application. Since we are using session as datum - after 2nd user > logs in ... the 1st user object is overwritten with 2nd user > information. Please be clear: is one session being hijacked by the second user, or is the second user getting a new session that both users are then using. (Check the session ids). > This creates problems specifically while logging out. In the > application we are making sure that only one user login is allowed > per user. This "feature" leads to all kinds of pain, IMO. > This also complicates when we are attempting to create audit log of > the user operations. Even though an operation is performed by the 1st > user the audit log registers it as the operation performed by 2nd > user. Again, please check the session ids. If both users are sharing a session (which I'm guessing is the case), then it's not really "user 1" that is issuing that request... it's "user 2", and "user 1" has effectively been logged-out of the system. Once again: why do you need to support different users in separate windows on the same machine? > This messes up the whole point of creating audit logs. Also, for the > question of Chris - there could be a need for two different users > with different roles could try to login and that is when we are > having this problem. I still don't get it. Why would two users login from the same machine at the same time? Is this just something that you are running across during testing, or do you actually want to support this use case? If you need to support this use case, you /must/ abandon cookie-based session management. Force your app server to do URL-rewriting and this problem should go away immediately. See my previous post for some caveats. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGg7WO9CaO5/Lv0PARAuSNAJ9XF2lkcERWqD3+mrzCq1ZLRiV9MgCgrDWM w1GBpCFRhPFB0PCxybVtVpM= =Xlgz -----END PGP SIGNATURE----- --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
