I just wondered what exactly creates a new session on a web server.
For example if i visit the same website in 2 different tabs of a tabbed browser would each create a new session on the server or would they both share the same 1?
Printable View
I just wondered what exactly creates a new session on a web server.
For example if i visit the same website in 2 different tabs of a tabbed browser would each create a new session on the server or would they both share the same 1?
The person writing the page can set the timeout for a session, so how long you waited to open the second tab would determine whether you got a new sessionID or not.
ok I realise about session's timing out so if i simultaneously visit the same site then the different windows would share the session?
Actually ignore this I'll just write a quick web page and find out that way. I was just being lazy really wasn't I?
No, not really. But session isn't clearly defined. What software? PHP sessions? Java Servlet sessions? ASP.Net sessions? HTTP-Auth? Custom-built solutions?
What it comes down to is this: HTTP-Auth is in the hands of the browser, but because it's not session management but only authentication, no browser I know of handles tabs separately.
All other session management typically has two modes of operation: if cookies are available, they're used. Cookies are shared, so all tabs have the same session. If they're not available, though, URL rewriting is the typical solution. This means that every URL either must be passed to a special function or a special filter runs over the entire page. In this case, sessions are separate.
The sessions in question were asp.net and I'd never really thought about it before but was demo-ing a product in 2 firefox tabs and actions (that changed session variables) in 1 tab were affecting the application in the other tab too.
Thanks, you were very informative.
Even if the URLs are the same?Quote:
Originally Posted by CornedBee
If the URLs contain the same session key, it's the same session. If that happens by any means except opening a link from one session in another tab, it's a security hole.