Problem with session cookies

Giganews Newsgroups
Subject: Problem with session cookies
Posted by:  Clayton Arends (nospam_claytonarends@hotmail.com)
Date: Sun, 20 Nov 2011

While performing some session testing against a web server built on
TIdHTTPServer I discovered that the same session IDs are being used from
multiple browser windows.  Thinking that this was caused by the use of
persistent cookies I investigated further.  From my understanding it looks
like Indy uses "session cookies" by default which has me completely
perplexed as to why the browser is using the cookie between tabs/windows.
Both IE9 and FF7/8 behave the same way.  In the case of IE even when I close
all browser windows and open a new window the browser continues to send the
previously used session ID.  FF destroys the cookie when closing the last
instance of the browser.

Here is a dump of two communications with the server (I've removed some
lines to keep this post shorter):

-------

//  First connection by a FireFox browser window

0:0:0:0:0:0:0:1:60136 Recv 11/20/2011 7:08:45 AM: GET / HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101
Firefox/8.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Connection: keep-alive

0:0:0:0:0:0:0:1:60136 Sent 11/20/2011 7:08:45 AM: HTTP/1.1 200 OK
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 27
Set-Cookie: IDHTTPSESSIONID=GfJiotShFnxxB24; path=/

// Second FireFox browser window

0:0:0:0:0:0:0:1:60139 Recv 11/20/2011 7:09:11 AM: GET /index.html HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101
Firefox/8.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Connection: keep-alive
Cookie: IDHTTPSESSIONID=GfJiotShFnxxB24

-------

Note that the same session ID cookie was used by the second browser window.

The reason this is important is I have several HTTP applications which log
in to the same server.  These applications each need to authenticate
independently.  Also, the user may need to open multiple instances of the
same application at the same time.  My plan was to use session cookies to
uniquely identify the instances.  If session cookies do not work this way
then I need a different way to distinguish clients.  Any recommendations are
gratefully welcomed.

One option I have considered is that the client send some kind of
authenticated string in each GET/POST request either as part of the URI (in
the case of GET) or a parameter (in the case of POST).  I'm not too happy
with that plan due to logistical problems unless it is the only way to
achieve what I require.

A second option is to inject the authenticated string into the HTTP header
but I'm not sure if that's a possibility.  The applications are built with
JavaScript and make many of their calls using Ajax.  If JavaScript has
access to the HTTP headers then this might be the better option.

I'm really hoping that there is a simpler option where I need only add a
flag of some kind to the cookie (and hopefully Indy can handle that).

Thank you for any advice,
Clayton

Replies