Known Participant

Question

Two different sessions from the same computer - Possible?

Forum|Forum|14 years ago
March 31, 2011
5 replies
4460 views

HI,

Our staff that use our intranet application like to open two browser windows whilst using our CF site.

The problem is that if they do this the session variables are shared between the browser sessions.

Eg the CFID, CFTOKEN and JSESSIONID are the same values between the two different browser windows ( IE 6, 7 or 8 opened from the desktop ).

Is there a way to force the browser to use a different cfid\cftoken\jsessionid each time a new browser window is opened?

This behaviour is the same for CF MX 6.1 and CF9 developer...

PS: If I open the "2nd" browser window in say Firefox or Chrome, different sessionid's are generated and the problem does not occur. Due to corporate policy I can't go installing other web browsers however...

Hope someone can provide instructive advice.

Advanced techniques

This topic has been closed for replies.

S

Scott_thorntonAuthor

Known Participant

Hello,

I have just tested in IE 6.0.something, and have proved that it generated different CFID CFTOKEN's each time the browser was opened.

other version don't.

originally the app was developed against IE 6.0.

I am currently re-developing the system to use URL variables instead.

Thanks all for providing insight.

A

Adam Cameron.

Inspiring

Uh??!

Is the IE6 install set to not accept cookies or something?

Is it a different session per browser window, or a different session per request? IE: do you get a different CFID/CFTOKEN for every request even in the same browser window?

--

Adam

D

Dave Watts

Community Expert

The handling of cookies is controlled by the browser, as others have already noted. However, different browsers have different default behaviors about this, and some browsers let you control this. For example, in some versions of IE, whether windows share the same session is determined by how the windows are opened. Google "ie separate session" to see how that works. I haven't really tried that stuff with IE, but with Chrome for example, I have two different profiles which lets me keep myself logged in to multiple Google accounts.

Your other alternative is to track windows in your application, and have corresponding session data within the same session for each window. Frankly, that sounds like it would be a lot of work to retrofit that to your application.

Dave Watts, CTO, Fig Leaf Software

http://www.figleaf.com/

http://training.figleaf.com/

Dave Watts, Eidolon LLC

R

Reed_Powell-ttnmOb

Inspiring

An easy way is to have them use 2 different browsers, since cookies will not be shared between

them (IE and Firefox, FIrefox and Chrome, etc etc)

-reed

Owainnorth

Inspiring

An easy way is to have them use 2 different browsers

Due to corporate policy I can't go installing other web browsers

"Always read the question", as teacher always used to say

R

Reed_Powell-ttnmOb

Inspiring

You got me on that one Owain!

How about this, sort of a hack, but not too much. If there is a page in your app that everyone uses to enter the app, like a sign-on page, then on that page create a uniqe variable name and use to create a structure in the session scope to hold that browser instance's variables. The key is that this has to be a page that you only touch once when the person starts the app. if it is just a "home" page that they keep returning to while using the app, then every time that they return to it they will get a new set of session variables. Something like this:

This will keep the session vars of each browser instance from interacting with each other.

-reed

A

Adam Cameron.

Inspiring

As Owain pointed out, the session is keyed on the CFID/CFTOKEN (or JSESSIONID) cookies, and those cookies are obviously not browser-instance-specific. There's no real way around that.

I guess the question is why is it a problem that each browser window shares the same session? I'm not saying it shouldn't be a problem, but in understanding why it's a problem, the solution could be possible via a different approach.

--

Adam

Owainnorth

Inspiring

The session is maintained by ColdFusion at the server end (fairly obviously) and by cookies at the browser end.

Therefore you have two options as far as I can see:

1 - Set your sessiontimeout to something fairly low, say a minute. However, that means people will be logged out after a minute of idle time, and if someone logs in, closes then reopens the browser within a minute it'll still be logged in. Not ideal.

2 - Set the browser to delete cookies on close. As CF has no comprehension of a browser being closed, it cannot manually end a session. It's therefore up to the browser to do so. Whether or not your company will allow you to make such a change is for you to find out of course, but there's a lot to be said for clearing all cookies in a corporate environment anyway, it's what I have set on my laptop to stop this exact issue occurring.

Hope that helps.

O.

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded