Two different sessions from the same computer - Possible?

Report · Mar 30, 2011

HI,

Our staff that use our intranet application like to open two browser windows whilst using our CF site.

The problem is that if they do this the session variables are shared between the browser sessions.

Eg the CFID, CFTOKEN and JSESSIONID are the same values between the two different browser windows ( IE 6, 7 or 8 opened from the desktop ).

Is there a way to force the browser to use a different cfid\cftoken\jsessionid each time a new browser window is opened?

This behaviour is the same for CF MX 6.1 and CF9 developer...

PS: If I open the "2nd" browser window in say Firefox or Chrome, different sessionid's are generated and the problem does not occur. Due to corporate policy I can't go installing other web browsers however...

Hope someone can provide instructive advice.

Report · Mar 30, 2011

The session is maintained by ColdFusion at the server end (fairly obviously) and by cookies at the browser end.

Therefore you have two options as far as I can see:

1 - Set your sessiontimeout to something fairly low, say a minute. However, that means people will be logged out after a minute of idle time, and if someone logs in, closes then reopens the browser within a minute it'll still be logged in. Not ideal.

2 - Set the browser to delete cookies on close. As CF has no comprehension of a browser being closed, it cannot manually end a session. It's therefore up to the browser to do so. Whether or not your company will allow you to make such a change is for you to find out of course, but there's a lot to be said for clearing all cookies in a corporate environment anyway, it's what I have set on my laptop to stop this exact issue occurring.

Hope that helps.

O.

Report · Mar 31, 2011

As Owain pointed out, the session is keyed on the CFID/CFTOKEN (or JSESSIONID) cookies, and those cookies are obviously not browser-instance-specific. There's no real way around that.

I guess the question is why is it a problem that each browser window shares the same session? I'm not saying it shouldn't be a problem, but in understanding why it's a problem, the solution could be possible via a different approach.

--

Adam

Report · Mar 31, 2011

An easy way is to have them use 2 different browsers, since cookies will not be shared between

them (IE and Firefox, FIrefox and Chrome, etc etc)

-reed

Report · Mar 31, 2011

An easy way is to have them use 2 different browsers

Due to corporate policy I can't go installing other web browsers

"Always read the question", as teacher always used to say

Report · Mar 31, 2011

You got me on that one Owain!

How about this, sort of a hack, but not too much. If there is a page in your app that everyone uses to enter the app, like a sign-on page, then on that page create a uniqe variable name and use to create a structure in the session scope to hold that browser instance's variables. The key is that this has to be a page that you only touch once when the person starts the app. if it is just a "home" page that they keep returning to while using the app, then every time that they return to it they will get a new set of session variables. Something like this:

This will keep the session vars of each browser instance from interacting with each other.

-reed

Report · Mar 31, 2011

Hello,

Why do they do this?

Well, some staff including myself have dual screen monitors. Staff like to have say a summary of a patient's info on one screen, and a different patient's on another, or the same patient's different stay on the other to compare info etc.

Reed, i do understand what you are saying. Sounds a bit complicated, and a lot of the app would need re-working

I could use URL variables more which is what I am looking into currently.Again, it will take a vit of work, especially since there are many "paths" into each page.

The was a point in the past, IE 6 perhaps, which did have different sessions I think which is why the problem has only started to be noticed recently as computers and browsers are being upgraded. Am pretty sure we would not have let staff do this if it had been always the case...

Report · Mar 31, 2011

Why do they do this?
Well, some staff including myself have dual screen monitors. Staff like to have say a summary of a patient's info on one screen, and a different patient's on another, or the same patient's different stay on the other to compare info etc.e...

Hang on... why would a user need two different sessions to view two different patients? There should only be info identifying the user in session; not the patient. Do they need different logins to see different patients?

The was a point in the past, IE 6 perhaps, which did have different sessions I think which is why the problem has only started to be noticed recently as computers and browsers are being upgraded. Am pretty sure we would not have let staff do this if it had been always the case...

Nup, it's nowt to do with IE6. Perhaps you've had an app change in which the session behaves differently.

--

Adam

Report · Mar 31, 2011

Hang on... why would a user need two different sessions to view two different patients? There should only be info identifying the user in session; not the patient. Do they need different logins to see different patients?

No, the criteria in the query to select the patient uses session variables.

Eg

login, select a patient ( left monitor )

new browser, login, select a patient ( right monitor)

refresh browser on left monitor and you get the patient from the other session on the right monitor.

boo.

Report · Mar 31, 2011

Hang on... why would a user need two different sessions to view two different patients? There should only be info identifying the user in session; not the patient. Do they need different logins to see different patients?
No, the criteria in the query to select the patient uses session variables.

Quite. What I was asking is "why?" Why is patient information in the session scope to begin with? What's the query?

This is what your issue is. Not that different windows of the same browser use the same session cookies.

--

Adam

Report · Apr 01, 2011

Regarding: "Quite. What I was asking is "why?" Why is patient information in the session scope to begin with? What's the query?"

We have applications where patient information is in the session scope. Why do we do that? So that we don't have to get it each time someone selects a hyperlink. Generally speaking, this is a very common reason to put information in the session scope.

For the OP, I have no information that will help you solve your problem.

Report · Apr 02, 2011

If you were to do that - and personally I wouldn't, but hey - then I would make sure to check that the one in session is actually the one being requested (compare the IDs). If it's the same: fine, re-use. If not: fetch it.

But storing a patient in session like this is only sensible iff one is staying on the same patient almost all the time, within a given session.

When a patient is rendered as a form, or loaded via a URL, then the patient ID in the form or URL should take precedence over the session one. So when submitting a form (say for update), then the patient being updated is the one IDed in the •form scope•, not the session scope. Perhaps the update should also update the session scope, or simply blitz it if the IDs don't match.

TBH, given the way your users seem to use your app, I don't think storing info about a patient in session makes much sense. Perhaps you could store the last n patients in session (keyed by ID), rather than just "the patient". As you've seen: this approach has limitations.

--

Adam

Report · Apr 01, 2011

No, the criteria in the query to select the patient uses session variables.

POW. There's your issue - the Session scope is not really intended to be used for that purpose. The URL scope is for per-page settings, the SESSION scope is, obviously, per session.

Any reason it needs to be like that? You're going to constantly have issues until that changes.

Report · Apr 01, 2011

The handling of cookies is controlled by the browser, as others have already noted. However, different browsers have different default behaviors about this, and some browsers let you control this. For example, in some versions of IE, whether windows share the same session is determined by how the windows are opened. Google "ie separate session" to see how that works. I haven't really tried that stuff with IE, but with Chrome for example, I have two different profiles which lets me keep myself logged in to multiple Google accounts.

Your other alternative is to track windows in your application, and have corresponding session data within the same session for each window. Frankly, that sounds like it would be a lot of work to retrofit that to your application.

Dave Watts, CTO, Fig Leaf Software

http://www.figleaf.com/

http://training.figleaf.com/

Report · Apr 04, 2011

Hello,

I have just tested in IE 6.0.something, and have proved that it generated different CFID CFTOKEN's each time the browser was opened.

other version don't.

originally the app was developed against IE 6.0.

I am currently re-developing the system to use URL variables instead.

Thanks all for providing insight.

Report · Apr 04, 2011

Uh??!

Is the IE6 install set to not accept cookies or something?

Is it a different session per browser window, or a different session per request? IE: do you get a different CFID/CFTOKEN for every request even in the same browser window?

--

Adam

Adobe Community

Two different sessions from the same computer - Possible?