271581 - two browsers with the same session should not belong to the same http session

Status: RESOLVED DUPLICATE of bug 117222

(Firefox :: General, defect)

Description

[loocx]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0

In am using windows 2000 professional and testing a j2ee application with
Firefox browser.  Either I open a new browser with a new tab (Ctrl-T) or open a
browser in a new window (Ctrl-N), if two browsers both have the same url, the
two browsers will stick to the same http-session.  The URLs of these tow firefox
browsers don't have to be identical but both pointing to one jsp or servlet. 
For example:
http://localhost:8080/examples/jsp/test/testBrowserSession.jsp?action=test1 and
http://localhost:8080/examples/jsp/test/testBrowserSession.jsp?action=test2

Reproducible: Always
Steps to Reproduce:
1. I made a testBrowserSession.jsp and put in tomcat1.4 The source of the jsp is 
<source>
<%
	String reqPara = (String) request.getParameter("action");
    String sesPara = (String) session.getAttribute("action");
%>

Parameter input from url [(String) request.getParameter("action");] is
<%=reqPara%> </br>
Parameter input in session [(String) session.getAttribute("action");] is
<%=sesPara%> </br>
<% session.setAttribute("action", reqPara); %>
</source>
2. Open a new firefox browser with url
http://localhost:8080/examples/jsp/test/testBrowserSession.jsp?action=test1

3. Click Control-T to open a new browser(A new tab). enter url
http://localhost:8080/examples/jsp/test/testBrowserSession.jsp?action=test2

4. Click FireForx icon in the desktop to open a brand new broswer. enter url
http://localhost:8080/examples/jsp/test/testBrowserSession.jsp?action=test3

Actual Results:  
step 2 shows session attribute("action") is null. (As expected)
step 3 shows session attribute("action") is test1. (two browsers are with the
same http session)
step 4 shows session attribute("action") is test2. (throw browsers are with the
same http session). 

Expected Results:  
step 2 shows session attribute("action") being null. 
step 3 shows session attribute("action") being null or  test1. 
step 4 shows session attribute("action") being null. 

If I perform the above test using internet explorer
step 2 shows session attribute("action") is null. (As expected)
step 3 shows session attribute("action") is test1. (as expected)
step 4 shows session attribute("action") is null. (As expected)
(IE is doing a better job in this regard)

I report this bug is because my web application need to prevent user manually
change url or jump to bookmark in the middle of some business process. If user
do want to jump to other similar link of my war appilcation.  I can gracefully
inform user close the current browser or logout before starting a new browser to
 proceed.  However, if browsers pointing to same url page share the same http
sessions, it will be highly possible to cause data inconsist error.  For
instance, two online trading browsers can point to the same page with different
parameters, they should not be in the same httpsession.  

I perform this test in Tomcat, Websphere and weblogic.  As well, I use internet
explorer to test.  I think this is a browser issue.

Comment 1

[:Gavin Sharp [email: gavin@gavinsharp.com]]

Isn't this bug 117222? I don't know anything about J2EE but it looks to me like
the "session" object is just referring to a session cookie, like in ASP or PHP.

Comment 2

[Mike Connor [:mconnor]]

Its a dupe, or close enough to a dupe of that evil mess of a spamtrap.

Note that if you do Ctrl-N from IE it does the same thing, but  you can start a
second process by executing it directly.

Comment 3

[:Gavin Sharp [email: gavin@gavinsharp.com]]

*** This bug has been marked as a duplicate of 117222 ***