Different browser means a different client from th

2019-07-20 03:54发布

  1. If I open a new Tab (or Window) of the same browser I am working on (say Firefox), then it would be considered as the same client by the server.

  2. But, if I open the same URL from a different browser (say IE), then the server cannot identify this as the same client.

So, how does the server identifies a client, internally?

If I want a Server to uniquely identify a client even from a different browser (and not consider it as a new client), how do I do it from a Web Server (using Servlets)?

2条回答
老娘就宠你
2楼-- · 2019-07-20 04:40

"If I open a new Tab (or Window) of the same browser I am working on (say Firefox)"

Your premise is not accurate.

If I use a different profile of the same browser (FireFox, or Chrome, etc), it would be considered a different session.

That is the idea - that I can have the privacy of not letting the server or web service see my other profiles. As the user, I will not ever let your app cross that line of inquiring into my other browsers or profiles. Moreover, FF, Chrome, Safari, IE, etc do not share the same storage schema for their cookies.

Of course, you could spend a lot of time, attempting to hack up a desktop app that would exchange cookies between the browsers - but that would be useless because

  • how are you going to decrypt those cookies?
  • are you willing to write the same app for all the operating systems
  • then how are you going to convince me to trust you to let you install that cookie incursion app on my system?

Your time would be better spent on industry accepted and prevalent practices.

However, if your application has user login/authentication, then I would want your app to recognise me and my history no matter which PC, which profile, or which part of the world I am in.

Therefore, the answer to your question is - user authentication.

You should not deal with mucking around the server to recognise the same session id, across multiple PCs or browser "sessions". It gets to be wiry, hairy and kludgy.

Don't reinvent the wheel. Use OpenID or OAuth2.

OpenID-consumer is very simple to implement. Simple as it is, there is not much literature example on implementing openID. But Google has put up sufficient amount of helpful literature on OAuth.

Google Federated login/OAuth is also quite fun and easy to implement. Even with GWT.

The question remains - why do I want to complicate the matter with user authentication when all I want is to share a session across multiple "browser sessions". The reason is security. Even if it is an internal company application. Do you think your managers would want to know that anyone in the company could masquerade their sessions.

By the time you got deep into your project, you would realise there is no point trying to escape from the user authentication route. And there is no point whipping up your own secure session authentication framework.

查看更多
三岁会撩人
3楼-- · 2019-07-20 04:51

Technically, this should not be possible. The server identifies clients by setting a cookie on them, and browsers do not share their cookies (they only share them between tabs, that's why you see that different tabs are treated as the same client). You could try identifying by IP address, but then all the clients behind a proxy would erroneoulsy be identified as the same client. Any other way of uniquely identifying a client would involve getting information from the machine (something like the MAC address, for instance) and for security reasons browsers are not allowed to do this.

查看更多
登录 后发表回答