Session problem in mvc

  1. #1

    Session problem in mvc

    Hi all

    Well, I have the following problem:
    I have an app with a tipical login and I save the session vars in server with HttpContext (HttpContext.Current.Session["user"]...).
    Client saves nothing of session.
    The problem comes when some user opens a browser ("browser-window-1") and log in, then open other tab/window of the browser ("browser-window-2"), log out and log in with other credentials. Now, "browser-window-1" will work with the second session and rendered elements from the first.

    My first idea to solve it it's sending a token in each directevent, adding it as param but:
    1. My app has more than 3000 direct events so....
    2. I have no idea how to create a global method to check a token from directevents in each request in server.

    I have searched in Google and found a post about using cookies. I tryed it but are shared in both browser-tabs too.
    Now I am thinking about updating the cookie value with each ajaxrequest to send a value stored in JS, but seems too much work too....

    Close "browser-window-1" or redirect to "login" view its my goal if different session is in server.
    Finally my question is: Is there a "easy" solution with, or could you provide me a post with a solution?

    Sorry if there is a similar post that I haven't seen and thanks in advance.
    Last edited by VilcheS; Apr 06, 2016 at 9:40 AM.
  2. #2
    Hello @VilcheS!

    I am afraid Ext.NET does not manage by itself sessions.

    You need to maintain both sessions logged on the two different tabs? I don't think this works even for other services (like google, yahoo!, hotmail...). If you log out in one tab, the other tabs are logged out at the same time.

    And that's how I would recommend you to do: once user logs out from one tab, kill the session entirely, invalidating the other open tab.

    Some browsers offer identity separation, where the user can keep two different browser sessions open at once. On Chrome, the concept is called profiles.

    So, in summary:
    - When user logs out, completely kill session. This will enable an user in a single session to be browsing in different tabs (on same account). Cookies help maintain this thru browser restarts or tabs in some situations, but are not always required.
    - If the user needs/wants to maintain open different credentials at the same time, use either different browser or different browser profiles.

    I personally think that if you do not completely wipe out the session when the user logs out in one tab, you open a breach for service abuse with illicit user impersonation. This can even happen unwillingly by the user! Although it does not necessarily mean there is absolutely no means to do so without security risks.

    I hope this helps!
    Fabrício Murta
    Developer & Support Expert

Similar Threads

  1. Replies: 11
    Last Post: Jan 21, 2015, 4:18 PM
  2. [CLOSED] Progress Bar server side Session Value access Problem
    By legaldiscovery in forum 1.x Legacy Premium Help
    Replies: 5
    Last Post: Oct 11, 2012, 11:15 AM
  3. [CLOSED] Session management problem in IE8
    By vadym.f in forum 1.x Legacy Premium Help
    Replies: 9
    Last Post: Jun 13, 2012, 8:44 PM
  4. Session problem on IIS7
    By ven in forum 1.x Help
    Replies: 5
    Last Post: Jun 24, 2011, 3:33 PM
  5. Replies: 2
    Last Post: Feb 05, 2010, 5:20 PM

Posting Permissions