I'm trying to implement an authentication mechanism where each browser tab may be logged in as a different user.
Here are the rules of this system:
What I've tried so far:
Using cookies
for both the private and public tokens: this doesn't work because the server has no way of knowing which cookie to look in. If a user clicks on a link from inside a tab, the request sends all cookies across all tabs and the server has no way of knowing which one clicked on the link.
Storing private tokens in sessionStorage
: This doesn't work because when a user clicks on a link, there is no way to specify custom headers that should be sent alongside the HTTP GET request.
Requesting the page using AJAX, then navigating to the page in memory using Data URIs: For security reasons, Internet Explorer doesn't allow the use of DATA URIs for HTML content. See http://msdn.microsoft.com/en-us/library/cc848897%28v=vs.85%29.aspx
Using <form method="get" enctype="multipart/form-data">
and passing the token using hidden fields: enctype="multipart/form-data" is only supported for POST.
Using <form method="post" enctype="multipart/form-data">
and passing the token using hidden fields: in theory, this should work but now the user gets prompted to re-submit form data if he uses the back/forward button.
Requesting the page using AJAX, then rewriting the current page using document.open(); document.write(); document.close()
. I tried both https://stackoverflow.com/a/4404659/14731 and http://forums.mozillazine.org/viewtopic.php?p=5767285&sid=d6a5a2e8e311598cdbad124e277e0f52#p5767285 and in both cases the scripts in the new <head>
block never gets executed.
Any ideas?
Okay, after going through many different iterations, here is the implementation we ended up with:
publicToken
, nextTabId
.privateToken
, tabId
.publicToken
is the token returned by the last login operation, across all tabs.privateToken
is the token returned by the last login operation of the current tab.tabId
.nextTabId
is a number that is accessible across all tabs.nextTabId
and increments its value.tabId
could have a value of "com.company.TabX
" where X
is the number returned by nextTabId
.privateToken
and publicToken
are overwritten using the authentication token returned by the server.privateToken
and publicToken
on the browser side, and privateToken
on the server side. We do not delete publicToken
on the server side.privateToken
will get logged out as well. Any tabs using a different token will be unaffected.privateToken
? When you open a link in a new window or tab, it inherits the privateToken
of the parent tab.publicToken
on the server, a tab logging out with privateToken
X, publicToken
Y would cause tabs with privateToken
Y to get logged out (which is undesirable).tabId
query parameter to the URL. The parameter value is equal to the value of tabId
.tabId
URL parameter from the current page using history.replaceState() so users can share links with their friends (tabId
is user-specific and cannot be shared).tabId
cookie (more on this below).tabId
cookie and follows the link.tabId
and a value equal to the value of privateToken
tabId
parameter is missing, then redirect the browser to GetTabId.html?referer=X
where X
is the current URL.tabId
is present but the authentication token is invalid or expired, then redirect the browser to the login screen.privateToken
, copy publicToken
into privateToken
.privateToken
and publicToken
are undefined, redirect to the login page.referer
which indicates where to redirect to on success.privateToken
, append the tabId
parameter to the referer
page and redirect back to it.window.location.replace()
when redirecting to remove GetTabId.html
from the browser history.tabId
cookie on page load, then each time a tab would make a request all of the other tabs' cookies would get sent as well.tabId
. As result, it gets the source-code of the page which redirects to GetTabId.html
instead of the actual page.GetTabId.html
and back to the original page).Apologies for the long implementation details, but I could not find an easier/shorter solution.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With