[转]Stop Sharing Session State between Multiple Tabs of Browser

本文转自：http://jinaldesai.net/stop-sharing-session-state-between-multiple-tabs-of-browser/

Scenario: By default all browsers share session state between multiple tabs. So if you logged into one tab with particular site and open internal link of the same site in new tab, you need not to worry to login again. It will automatically declare you as logged in user.

For example, if I open google and login to google.com. Now I open new tab in the same browser and type gmail.com then it will automatically logged in me and redirect to google mail, here at this step it will not ask me to log in again.

Requirements: There are some situations where we need to stop sharing session between the browser tabs. 1. Requirement to force user to provide credentials for every new tab(or any other user identifying information). 2. If user retrieves particular record(lets say order information) into two different tabs. In one tab user deletes the record and in another tab user is trying to modify the record. In this situation data will be unstable and cause error. 3. If you are building secure site like e-banking or money transactional site then you need to force user to stay only on single tab, rather than using multiple tabs for doing money transactional activities. 4. If I am administrator of customer accounts in site. Now I am accessing account of customer “ABC” and then open new tab and access account of customer “PQR”. The session is now holding information for customer “PQR” and thinks that I am working on customer “PQR”. Now after working on customer “PQR”, I am coming back to customer “ABC” (tab) and start editing it. Actually according to session information it is assuming again that I am editing customer “PQR” and the problem starts here(data discrepancy).

Solutions: 1. Prevent user from opening new tab: I have found some javascript solutions which you can deploy at client side(obviously you need to worry about browser versions) to achieve this. 2. Identify page request per tab(uniquely) which help server to interprit the request as unique request for new tab even though it is for same record. In fact there are many ways we can achieve this in Asp.NET.

2.1 First Solution. The Simpler Solution: You can change config settings of Asp.NET site as following.

<configuration>

  <system.web>

      <sessionState mode="InProc" cookieless="UseUri"> 

          </sessionState>

  </system.web>

</configuration>

or

<configuration>

  <system.web>

    <sessionState cookieless="true"

      regenerateExpiredSessionId="true" />

  </system.web>

</configuration>

As you show, the value “UseUri” of cookieless attribute with sessionstate tag is set. This indicate to use cookieless session and in particular embed session identifying code into the URI. So each tab you open contains unique code for identifying the request as unique request in URI itself. The unique code is appended before the page name.

i.e. http://www.abc.com/SampleWebSite/(S(afdg3ires1ik0lmjm3pkjtzl))/Home.aspx

The only cons of this solution is that the URI is then distorted with some unique code. So user can not use it for bookmarking or promoting site. It is not generating bookmark friendly.

2.2 Second Solution. Manually generate unique page identification code and insert it into hidden field on every page.

<asp:HiddenField ID="PageID" runat="server" />

In the form load include following code. It will generate unique page identification code based on millisecond and other time component which always be unique for your site.

If Not IsPostaback Then

  'Generate a new PageiD'

  Dim R As New Random(DateTime.Now.Millisecond +

         DateTime.Now.Second * 1000 +

         DateTime.Now.Minute * 60000 +

         DateTime.Now.Minute * 3600000)

  PageID.Value = R.Next()

End If

So by this method you can identify each tab request as unique requests. But it has following two disadvantages.

First: The access of hidden element PageID is only when ViewState is restored on postback. So you cannot access PageID in page_init(). Second: As hidden field is accessible to the visitor, anyone can change PageID. So this solution will work only for environment with 100% trust ratio of all user.

2.3 Third Solution. Using Javascript assign a unique id like a guid to the browser window / tab by assigning the guid value to the window.name property. window.name property is unique to each browser window/tab and won’t be shared across the windows. Using the guid as the key, read and write data to your ASP.NET session via a webservice. Since javascript does not have access to asp.net session, you will need to use a webservice and call it’s method through javascript. The data can be transfered between javascript and webservice via JSON.

Conclusion: Even though it is feature of most browsers to share session between the tabs, there are some situations which requires to stop sharing session across multiple tab. Here in this article I have shared some tricks you can use to overcome this bottleneck. You can also share your solutions with me.

References: http://forums.asp.net/t/1098023.aspx/1 http://stackoverflow.com/questions/2840615/asp-net-session-multiple-browser-tabs-different-sessions http://msdn.microsoft.com/en-us/library/ms178581.aspx http://geekswithblogs.net/ranganh/archive/2009/04/17/asp.net-session-state-shared-between-ie-tabs-and-ie8.aspx http://www.codeproject.com/Answers/148538/Session-Sharing-in-multiple-tabs-in-IE-in-Asp-net#answer3 https://sites.google.com/site/sarittechworld/track-client-windows http://stackoverflow.com/questions/2829228/way-around-asp-net-session-being-shared-across-multiple-tab-windows