[Mono-list] Cross-Browser Session Mixing

Brion Vibber brion at pobox.com
Sun Jul 10 22:20:28 EDT 2005


David P. Donahue wrote:
> I've noticed an interesting effect in .NET development where sessions
> can get mixed if a single computer has two browsers open to the same
> site.  I originally noticed it on CafePress, but now my own site is
> exibiting the same behavior.  I wonder if this is something people have
> tried to get around before, and what can be done about it.  It's rare
> that a user will want to use two simultaneous browsers, but when it
> happens it's certainly unexpected behavior from their perspective that
> the sessions would mix.  Any ideas?

Two *browsers* or two *windows* of the same browser application?

If two windows of one application (such as two Internet Explorer
windows), this is perfectly normal and will happen in pretty much any
server-side environment.

Sessions usually are keyed to cookies, which are tied to the browser
application, not to any particular open window. HTTP is a stateless
protocol and makes no restrictions about how many views you might have
open on the client or what order you visit them in, so you should always
be prepared to be 'reentrant' with multiple hits coming from the client
in different places.

For instance, if the user is browsing through a list of items in one
window, then does another search in another window, that second search
should not obliterate any server-side state for the first search. The
user might want to look at and page through both lists side-by-side.

If you mean two separate applications are sharing session state (such as
Firefox and Internet Explorer), then there might be something
problematic going on. Generally different applications will have their
own cookie storage and should thus maintain different sessions.

A mixture here might indicate a poor session keying construct such as
using the client's IP address (not guaranteed to be unique) or a key in
the URL which got cut-and-pasted from one browser to another. (Session
keys in the URL are dangerous, since keys may leak through cut-n-paste
and HTTP referer headers on external links.)

-- brion vibber (brion @ pobox.com)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 253 bytes
Desc: OpenPGP digital signature
Url : http://galactus.ximian.com/pipermail/mono-list/attachments/20050710/339aab9c/signature.bin


More information about the Mono-list mailing list