在选项卡之间共享的会话 [英] Session shared in between tabs

问题描述

我有 JAVA Web 应用程序，我需要停止在浏览器选项卡之间共享会话，这意味着

I have JAVA web application where I need to stop session being shared between browser tabs, meaning

用户打开浏览器，登录他的帐户并在同一浏览器的新选项卡中打开特定页面.根据默认设置，会话将共享到新选项卡，并且用户会自动登录到新选项卡.谁能告诉我如何停止这种情况，以便我至少可以将其限制在几个敏感页面(如果不是整个应用程序)中.

User opens a browser, Logs into his account and opens a particular page in a new tab in the same browser. As per the default setting the session is shared to the new tab and the user is automatically logged-in to the new tab. Can anyone tell how this can be stopped so I can at least restrict this in few sensitive pages if not the entire application.

推荐答案

通常 cookie 用于会话处理.然后所有选项卡和浏览器窗口共享同一个会话.但是您可以将 servlet 容器配置为使用 URL 重写而不是 cookie.(这是 Jetty 的示例.)

Usually cookies are used for session handling. Then all tabs and browser windows share the same session. But you can configure your servlet container to use URL rewrite instead of cookies. (Here is an example for Jetty.)

通过 URL 重写，会话只能通过包含会话 ID 的 URL 参数来识别.因此，必须使用方法 HttpServletResponse.encodeURL().如果您使用的是像 Wicket 这样的网络框架，很可能已经为您完成了这项工作.

With URL rewrite the session is only identified via a URL parameter containing the session ID. So every internal URL of your web application has to be enhanced with this parameter using the method HttpServletResponse.encodeURL(). If you are using a web framework like Wicket, chances are good that this is already done for you.

通过 URL 重写，可以在同一浏览器实例的不同窗口或选项卡中拥有多个独立会话.

With URL rewrite it is possible to have several indepedent sessions in different windows or tabs of the same browser instance.

更新:作为对否决票的回应，我想说明 URL 重写的不同行为:

Update: In response to the downvote I want to make clear the different behaviour of URL rewriting:

假设网站的 URL 是 http://webapp.com.

Let's assume the website's URL is http://webapp.com.

Cookie:在第一个浏览器标签中打开 http://webapp.com.

Cookies: Open http://webapp.com in the first browser tab.

服务器创建一个会话并在响应中发送一个 cookie.

The server creates a session and sends a cookie in the response.

浏览器存储 cookie.

The Browser stores the cookie.

然后在第二个浏览器选项卡中打开 http://webapp.com.浏览器将此 URL 与最近存储的 cookie 相关联，并将 cookie 添加到请求中.

Then open http://webapp.com in the second browser tab. The browser associates this URL with the recently stored cookie and adds the cookie to the request.

对于服务器，来自第一个或第二个浏览器选项卡的请求和来自同一会话的响应之间没有区别.有时这是期望的行为.

For the server there is no difference between requests from the first or second browser tab and responds from the same session. Sometimes this is the desired behaviour.

网址重写:在第一个浏览器标签中打开 http://webapp.com.

URL rewriting: Open http://webapp.com in the first browser tab.

服务器创建一个 ID 为 1 的会话，并将参数 jsessionid=1 添加到响应页面中的每个 URL.不会传输任何 cookie.

The server creates a session with ID 1 and adds the parameter jsessionid=1 to every URL in the response page. No cookie is transferred.

从第一个浏览器选项卡对同一 Web 应用程序的另一个页面的所有进一步请求都包含会话 ID(例如 1).

All further requests to another page of the same webapp from the first browser tab include the session ID (for exeample 1).

然后从第二个浏览器标签中打开 http://webapp.com.区别就在这里！ 因为请求中没有 cookie 和 jsessionid 参数，所以服务器创建一个新会话(即 ID 2)并将参数 jsessionid=2 添加到响应页面中包含的每个 URL.从现在开始，来自第二个浏览器选项卡的所有后续请求都与会话 2 相关联.

Then open http://webapp.com from the second browser tab. Here is the difference! Because there is no cookie and no jsessionid parameter in the request, the server creates a new session (i.e. ID 2) and adds parameter jsessionid=2 to every URL contained in the response page. From now on all subsequent requests from the second browser tab are associated with session 2.

所以你在同一个浏览器中有两个独立的会话.

So you have two independend sessions in the same browser.

这篇关于在选项卡之间共享的会话的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！