reset password
Author Message
xieguahu
Posts: 50
Posted 14:42 Nov 29, 2009 |

I noticed that when I test the security, I need to use two different kinds of browsers.

Because if i open an IE browser and without log out, and then open another IE browser and log in as another user, the security does not work correctly.

However if i open an FireFox browser and log in and without log out, and then open an IE browser and log in as another user, the security wokrs fine.  (It also works in the other way: IE first and then FireFox).

So it should be the issue of the setting of browsers not something wrong with my implementation?

cysun
Posts: 2935
Posted 14:49 Nov 29, 2009 |

This is the correct behavior.

The first person who posts a good explanation of this behavior will receive 10pt extra credit.

ashoush
Posts: 25
Posted 15:18 Nov 29, 2009 |

I beleive this happens because different instances of the same browser share the same session. (IE used to use different sessions in previous version but I noticed this is no longer the case in IE 8.) So by opening a new browser of same type and logging in with a different username, a new session is created and the previous session expires automatically. But by using two different browsers you can have two different sessions and consequently two users can be connected to the system simultainously from the same computer.

Last edited by ashoush at 15:19 Nov 29, 2009.
cysun
Posts: 2935
Posted 15:29 Nov 29, 2009 |
ashoush wrote:

I beleive this happens because different instances of the same browser share the same session. (IE used to use different sessions in previous version but I noticed this is no longer the case in IE 8.) So by opening a new browser of same type and logging in with a different username, a new session is created and the previous session expires automatically. But by using two different browsers you can have two different sessions and consequently two users can be connected to the system simultainously from the same computer.

Yes, but explain a little bit more how "the previous session expires automatically".

ashoush
Posts: 25
Posted 15:44 Nov 29, 2009 |

I beleive when a user logs in to the system, the Spring Security invalidates the current session and initiate a new session for the new user. This make any session on other browsers of the same type to be changed to the new session. As the logged-in user information is kept in the session variables, the user for all the previous open browsers are now considered the recently logged in user.

cysun
Posts: 2935
Posted 15:51 Nov 29, 2009 |
ashoush wrote:

I beleive when a user logs in to the system, the Spring Security invalidates the current session and initiate a new session for the new user. This make any session on other browsers of the same type to be changed to the new session. As the logged-in user information is kept in the session variables, the user for all the previous open browsers are now considered the recently logged in user.

Not quite.

niteenborge
Posts: 7
Posted 17:52 Nov 29, 2009 |

The HttpSessionContextIntegrationFilter is responsible for storing a SecurityContext between HTTP requests. The HttpSession is used to store this information. 

As Http session is stateless it get killed when we close the browser, also it is different for different browser..

cysun
Posts: 2935
Posted 18:09 Nov 29, 2009 |
niteenborge wrote:

The HttpSessionContextIntegrationFilter is responsible for storing a SecurityContext between HTTP requests. The HttpSession is used to store this information. 

As Http session is stateless it get killed when we close the browser, also it is different for different browser..

No.

niteenborge
Posts: 7
Posted 20:09 Nov 29, 2009 |

I checked in response "JSESSIONID" is same for any instance of browser (Including ctrl + N). When we close browser completly, it generates new SessionId. It is true for different browser. I think Server sets session ID after login and checks authentication for every request. It checks for same SessionID. If it is different, then it tell user to login again.

cysun
Posts: 2935
Posted 21:50 Nov 29, 2009 |
niteenborge wrote:

I checked in response "JSESSIONID" is same for any instance of browser (Including ctrl + N). When we close browser completly, it generates new SessionId. It is true for different browser. I think Server sets session ID after login and checks authentication for every request. It checks for same SessionID. If it is different, then it tell user to login again.

In our case the browser is not closed. Suppose you login as a user, then open another browser window or tab and login as a different user, you will be automatically logged out of the first account, i.e. the first session will be automatically terminated. How is the first session terminated?

niteenborge
Posts: 7
Posted 22:06 Nov 29, 2009 |

SecurityContext get updated with new login which do not match with old session data. 

cysun
Posts: 2935
Posted 07:52 Dec 01, 2009 |

The key is to understand how "session" works. As we discussed in CS320 and in the review lecture of this class, when a client first sends a request to the server, the server generates a unique token (a random number or string) which is usually called a sesion id, and sends it back to the client. All subsequent requests from the client should include this token so that the server can recognize the client. In most cases, sessions are implemented using cookies. In particular, the session id is sent back and forth between the client and the server as the value of the cookie header in the HTTP requests and responses.

Because an HTTP session relies on both the client and the server "remembering" the same session id, a session can be terminated by either side. For example, a server can terminate a session by expiring a session id, and a client can terminate a session by deleting the cookie that contains the session id.

Now back to the case we are discussing. When a user first logs into a website, the client browser receives a session id that is stored in a cookie. If the user logs in a different account, the server sends back a new sssion id in another cookie. Because the new cookie comes from the same host, for the same path, and has the same name as the old cookie, it replaces the old cookie, or in other words, the new session id overwrites the old session id, so the old session is gone. Note that in this case, the session is terminated on the client side, not by Spring Security on the server.