Multi-user login problem solving at the same browser

• Question: If only one user logged in, you can use the Session store user login information on the server in the same browser. But if the project needs to allow multiple different users to log in with a browser, this will be a problem, because the server distinguish different users are distinguished by JSESSIONID stored in a Cookie, if JSESSIONID the same, then they are in service end will use the same Session object. The Cookie same browser using the same, so JSESSIONID is the same, we can not distinguish between different users. When the browser login first user, user information is written to the Session, when the second user logs on, it will overwrite the first user's login information.

• Solution: Tomcat no longer rely on the default JSESSIONID to identify the client, after every time you log in, the server generates a token based on the user information, a written to the database and set the effective time and identity information is stored together, Timing clear and the other returned to the client. This token can be placed in a hidden field of the page, but can not be stored in a Cookie, because it is not uniquely distinguish between users. Next, each time the client to access the server are put on the token for the identity verification information, based on the value of the token to find the corresponding identity information in the database. So that we can distinguish between different users logged on at the same browser. After the check is passed, then this token back to the client, to use for its next access. To prevent unauthorized use of the token, to make use Https.