Session cookie per UI

Hi,

I have an application with multiple UIs.
They all share the same servlet-class and are running under the same context.
Currently they all receive the same cookie and share it so in case i would like to invalidate the session in one UI, all UIs are invalidated.

Is it possible that each UI servlet will have it’s own session cookie?

Thanks,
Nadav

Is it possible that each UI servlet will have it’s own session cookie?

No, it is possible in Vaadin. The session cookie management is hardwired and works according to standards. It would probably impose security risks to implement it some other way.

However you are not out of options. You could create your own user management so that you can handle more than one user in a session. (Note, then it is your responsibility to write the application so, that no unwanted information can leak to other users). There are tools that make implementing this relatively straightforward.

Take a look this example application https://github.com/TatuLund/cdi-demo. It is using CDI. It still has SessionScoped user management, but you can quite easily change it to be UIScoped instead.

Thanks for the quick reply.
My issue is not about multiple users in one session.
I’ll elaborate on my requirement.

I require the user to authenticate whenever he browses to a UI application.
If the user closes the browser entirely, the next time he’ll open it he’ll get a new JSESSIONID in the cookie.
However after the user performs a logout but the browser is still open, the JSESSIONID remains the same.

For security reasons I would like the JSESSIONID to be replaced after the user performs a logout.
I found that the way to do it is to invalidate the session but it’ll also invalidate other UIs related to that session.
That is why I was asking about having a session cookie per UI.

Is there maybe another solution to my requirement?

Ok, now I understand your case better.

I found that the way to do it is to invalidate the session

Yes, that is the correct way to do, there is example here: https://github.com/TatuLund/cdi-demo/blob/master/src/main/java/org/vaadin/cdidemo/data/UserProfileHolder.java#L49

There is multiple UI’s per Session for a reason, and that is something you cannot override.

But it should be possible to live with this setup.

You need to implement bookkeeping of the UI’s in your session. I.e. each time new UI is created, add count by one and when UI is logged out decrease the count. Then change your logout to take that into account by invalidating the session when the last UI is being closed.

Or you could rely on this method VaadinSession.getUIs(…)

https://vaadin.com/api/framework/8.8.5/com/vaadin/server/VaadinSession.html#getUIs--