Sessions shared across tabs
It's important to understand that multiple tabs/instances of the same browser will all
share the same server-side session when interacting with the same domain.
Server-side sessions can be implemented in two ways:
- browser cookies
- URL rewriting
Applications should usually use the following logic to implement sessions:
- if the browser has cookies enabled (usually the case), then use cookies to implement sessions.
- otherwise, use URL-rewriting to implement sessions, as a back-up.
(Using
<c:url> consistently will achieve this.)
Each cookie is attached to a domain, and nothing else.
So, every time the browser interacts with that domain, the cookie is sent to that domain's server.
For a given browser, the same cookie is sent for every tab/instance that interacts with that domain.
As a consequence, with a given client and browser, there's no way to have multiple sessions at the same time.
If the user has multiple accounts, and logs in a second time with a different account, on a different tab,
then they are actually overwriting the first login.
See Also :