[Mono-list] Cross-Browser Session Mixing

David P. Donahue ddonahue at ccs.neu.edu
Mon Jul 11 06:46:14 EDT 2005 

You are correct, it's two windows of the same browser application.  What 
you are saying makes sense, of course.  Now, I'm not maintaining 
anything about the session in the URL (I do use the occasional 
QueryString variable, but it's not really tied to the session, just 
telling that page which item in a given dataset to show).

As for using the IP address, that's entirely a matter of how .NET 
internally maintains sessions.  All I do is create a list of session 
variables (HttpContext.Current.Session["variableName"]) on Session_Start 
and use those throughout the session to have certain pieces of 
information follow the user so that each page can access that 
information.  When I began developing .NET websites, this seemed like an 
easy and effective way to do this.  Does anyone have a suggestion for a 
better way?


Regards,
David P. Donahue
ddonahue at ccs.neu.edu
http://www.cyber0ne.com



Brion Vibber wrote:
> David P. Donahue wrote:
> 
>> I've noticed an interesting effect in .NET development where sessions
>> can get mixed if a single computer has two browsers open to the same
>> site.  I originally noticed it on CafePress, but now my own site is
>> exibiting the same behavior.  I wonder if this is something people have
>> tried to get around before, and what can be done about it.  It's rare
>> that a user will want to use two simultaneous browsers, but when it
>> happens it's certainly unexpected behavior from their perspective that
>> the sessions would mix.  Any ideas?
> 
> 
> Two *browsers* or two *windows* of the same browser application?
> 
> If two windows of one application (such as two Internet Explorer
> windows), this is perfectly normal and will happen in pretty much any
> server-side environment.
> 
> Sessions usually are keyed to cookies, which are tied to the browser
> application, not to any particular open window. HTTP is a stateless
> protocol and makes no restrictions about how many views you might have
> open on the client or what order you visit them in, so you should always
> be prepared to be 'reentrant' with multiple hits coming from the client
> in different places.
> 
> For instance, if the user is browsing through a list of items in one
> window, then does another search in another window, that second search
> should not obliterate any server-side state for the first search. The
> user might want to look at and page through both lists side-by-side.
> 
> If you mean two separate applications are sharing session state (such as
> Firefox and Internet Explorer), then there might be something
> problematic going on. Generally different applications will have their
> own cookie storage and should thus maintain different sessions.
> 
> A mixture here might indicate a poor session keying construct such as
> using the client's IP address (not guaranteed to be unique) or a key in
> the URL which got cut-and-pasted from one browser to another. (Session
> keys in the URL are dangerous, since keys may leak through cut-n-paste
> and HTTP referer headers on external links.)
> 
> -- brion vibber (brion @ pobox.com)
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Mono-list maillist  -  Mono-list at lists.ximian.com
> http://lists.ximian.com/mailman/listinfo/mono-list

More information about the Mono-list mailing list