For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Wynand_van_Nisp's avatar
Wynand_van_Nisp
Icon for Nimbostratus rankNimbostratus
Jun 02, 2008

Session persistance in browser tabs

Hi,     We have a client that has a Java banking app. The issue is as soon as you open multiple tabs the sessions get mixed up since the application uses cookies to maintain its session sta...
application delivery
dev
devops
iRules
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
Jun 23, 2008
Hi Wynard,

 

 

What is the actual problem the customer is trying to address?

 

 

It sounds like the browser is working exactly as expected. There is no way to differentiate which tab or window of a browser originated a request using cookies. The browser will send the current value for the cookie assuming the cookie hasn't already been expired.

 

 

Did the tester log in on tab 1, open a new tab, log out and then log in as a different user before going back to the first tab? If so, what were they trying to prove? Wouldn't the app expire the user's session cookie and invalidate the session on the server if they logged out? If so, why would the new session ID still be valid on the server when they went back to the first tab and tried to navigate again?

 

 

I think it would help to get a clearer idea of what the issue is. But based on what you've mentioned so far, I'm guessing this is something that would best be fixed in the app itself.

 

 

Aaron