I have JAVA web application where I need to stop session being shared between browser tabs, meaning
User opens a browser, Logs into his account and opens a particular page in a new tab in the same browser. As per the default setting the session is shared to the new tab and the user is automatically logged-in to the new tab. Can anyone tell how this can be stopped so I can at least restrict this in few sensitive pages if not the entire application.
Usually cookies are used for session handling. Then all tabs and browser windows share the same session. But you can configure your servlet container to use URL rewrite instead of cookies. (Here is an example for Jetty.)
With URL rewrite the session is only identified via a URL parameter containing the session ID. So every internal URL of your web application has to be enhanced with this parameter using the method HttpServletResponse.encodeURL()
. If you are using a web framework like Wicket, chances are good that this is already done for you.
With URL rewrite it is possible to have several indepedent sessions in different windows or tabs of the same browser instance.
Update: In response to the downvote I want to make clear the different behaviour of URL rewriting:
Let's assume the website's URL is http://webapp.com.
Cookies: Open http://webapp.com in the first browser tab.
The server creates a session and sends a cookie in the response.
The Browser stores the cookie.
Then open http://webapp.com in the second browser tab. The browser associates this URL with the recently stored cookie and adds the cookie to the request.
For the server there is no difference between requests from the first or second browser tab and responds from the same session. Sometimes this is the desired behaviour.
URL rewriting: Open http://webapp.com in the first browser tab.
The server creates a session with ID 1 and adds the parameter jsessionid=1 to every URL in the response page. No cookie is transferred.
All further requests to another page of the same webapp from the first browser tab include the session ID (for exeample 1).
Then open http://webapp.com from the second browser tab. Here is the difference! Because there is no cookie and no jsessionid parameter in the request, the server creates a new session (i.e. ID 2) and adds parameter jsessionid=2 to every URL contained in the response page. From now on all subsequent requests from the second browser tab are associated with session 2.
So you have two independend sessions in the same browser.