Tab based browser – session handling

Tab based browsers seems to be a common feature these days and is definitely quite handy. But for most of the web developers, it’s quite annoying feature when it comes to building Applications that makes use of sessions. Problems of data getting overridden when users tend to juggle between the tabs, causes lot of data inconsistencies. Having seen these problems, I tried doing some googling to check if there is any solution available to tackle it. While there was no definite solution suggested by anyone, I stumbled upon one of the link on nabble.—work-around.-td29876222.html

While the approach discussed in the above post, looks quite interesting, it somewhat seems to be coupled with Tomcat server. After spending couple of hours, I thought of an extended version of above approach.

In above sequence diagram (hope it looks like one), every request to the concerned application is intercepted by the Filter before its gets actually delivered to the WebResource (JSP/Servlet etc.). The intercepting filter performs following operations
Checks if the requested URL contains unique id, if it doesn’t generates one. (At this stage, user may be redirected to login page depending on the need of the application.)

1. If Unique ID is already present in the Request URL, checks if it is valid for the session (Reduces chances of session hacking to some extent).

2. Generates HttpServletRequestWrapper instance and passes the instance of current HttpServletRequest to it. Note that, it is required to write a new class which inherits from HttpServletRequestWrapper and overrides methods as stated in above diagram.
By calling doFilter method forwards the request to WebResource.

3. Also it is necessary to create a wrapper implementation for HttpSession. This wrapper must ensure that methods like getAttribute, setAttribute etc must be overridden to ensure consistency across requests. (Above approach creates virtual sessions against one session, depending upon the tabs opened by user.) Above approach requires that the attributes in the session must be stored in map instead of in session itself. The keys for map are the Unique ID.

4. Do URL rewriting so that next request will contain unique id.

Since this approach makes use of Filters and Utility classes like HttpServletRequestWrapper, it should work across all the servers supporting JavaEE.

Though it’s still a concept and hasn’t implemented it myself, I am not sure of consequences it may have on application in terms of security or other aspects. It would be really helpful, if someone can present the views.

By Carbon Rider

Hi this is Yogesh, welcome to my world. Being passionate about learning new technologies and building frameworks, I end up spending most of my time in front of computer. But over last few months, I realised apart from being good coder and designer (Yes I am) I have something hidden in me. And thats called ART.

5 replies on “Tab based browser – session handling”

Leave a Reply