Re: Problem with session cookies

Giganews Newsgroups
Subject: Re: Problem with session cookies
Posted by:  Remy Lebeau (re…@lebeausoftware.org)
Date: Mon, 21 Nov 2011

Clayton wrote:

> While performing some session testing against a web server built on
> TIdHTTPServer I discovered that the same session IDs are being used
> from multiple browser windows.

That is normal.  Browsers are allowed to do that.

> Thinking that this was caused by the use of persistent cookies I
> investigated further.  From my understanding it looks like Indy uses
> "session cookies" by default

Correct.

> which has me completely perplexed as to why the browser is using the
> cookie between tabs/windows.

Because browsers share cookies across multiple windows in the same process.

> In the case of IE even when I close all browser windows and open a new
> window the browser continues to send the previously used session ID.

Is the new window sending the cookie right away in its first request, or
is it waiting for the server's reply to arrive first?  TIdHTTPServer does
not reuse an existing session for a new connection unless the client sends
an existing cookie for that session.  Server-side sessions are tracked by
the combination of IP and cookie.  If the client does not send a valid cookie
for an existing session, TIdHTTPServer creates a new session with a new cookie.
When the new window connects to the server, are you getting any OnCreateSession
or OnInvalidSession events triggered on the server?  If not, then the server
is reusing an existing session, which means the client reused a previous
cookie that had not timed out on the server yet.

> FF destroys the cookie when closing the last instance of the browser.

So does IE, which makes me think that you are not actually closing all instances
of it.  For instance, keep in mind that Windows Explorer uses IE internally,
so make sure you close all Windows Explorer windows as well.  Also, third-party
apps (like Delphi's TWebBrowser component) use IE internally as well.

> //  First connection by a FireFox browser window
<snip>
> // Second FireFox browser window
<snip>
> Note that the same session ID cookie was used by the second browser
> window.

That is perfectly fine, if both windows belong to the same process.  Until
you fully exit Firefox, it is free to share cookies across multiple windows.

> The reason this is important is I have several HTTP applications
> which log in to the same server.  These applications each need to
> authenticate independently.

Then I suggest you switch to using HTTP authentication, which can be applied
on a per-connection basis rather than a per-session basis if you decouple
your authentication from your cookies.

> Also, the user may need to open multiple instances of the same application
> at the same time.

The server would have no way of differentiating those sessions using cookies
alone if they are running at the same time.

> If session cookies do not work this way then I need a different way to
> distinguish clients.

Yup.

> One option I have considered is that the client send some kind of
> authenticated string in each GET/POST request either as part of the
> URI (in the case of GET) or a parameter (in the case of POST).

Better to use HTTP authentication instead.  TIdHTTPRequestInfo has AuthExists,
AuthUsername, and AuthPassword properties for that purpose.  TIdHTTPServer
natively supports BASIC authorization only at the moment, but you can use
the OnParseAuthentication event to support other auth schemes manually.

--
Remy Lebeau (Indy Team)

Replies

In response to

Problem with session cookies posted by Clayton Arends on Sun, 20 Nov 2011