vbdavie Posted December 25, 2024 Posted December 25, 2024 I've seen a lot of similar topics with no solution so far. My web app is robust and has tons of screens. There are a couple of screens that would be very handy to keep displayed at all times WHILE the user continues to operation the application. These 2 or 3 forms would clutter up and take took much space in a ONE-TAB application. If the form could be opened in a new tab or window, then the user will be able to see the big grid list AND will be able to fully see the application to use it. In prior posts, the answer was always NO, because a new tab would be a new session. Has anyone figured out how to do this OR is this a new feature that is coming soon? Thanks DAvie Quote
irigsoft Posted December 26, 2024 Posted December 26, 2024 12 hours ago, vbdavie said: I've seen a lot of similar topics with no solution so far. My web app is robust and has tons of screens. There are a couple of screens that would be very handy to keep displayed at all times WHILE the user continues to operation the application. These 2 or 3 forms would clutter up and take took much space in a ONE-TAB application. If the form could be opened in a new tab or window, then the user will be able to see the big grid list AND will be able to fully see the application to use it. In prior posts, the answer was always NO, because a new tab would be a new session. Has anyone figured out how to do this OR is this a new feature that is coming soon? Thanks DAvie I thing You can, using some vulnerability ! Because unigui is Single Page application you can not go out of application in one session so easy: https://security.stackexchange.com/questions/110151/single-page-application-session-management https://stackoverflow.com/questions/8472407/opening-a-new-window-create-a-new-session https://www.quora.com/What-happens-when-I-open-multiple-tabs-of-the-same-website-in-my-browser-Does-it-create-a-new-session-creating-a-new-port-for-each-tab good explanation and example code: https://www.quora.com/Is-it-possible-to-make-SPA-application-from-one-tab-to-render-pages-in-different-tabs Try to open new windows from same session using Cookie hijacking, Session hijacking: So, using this code, you can add some cookies (session data) and new windows will open same session ! function openNewTab(url) { //your session data from google console url = "http://localhost:8077/HandleEvent?IsEvent=1&Obj=O1B&Evt=data&_dc=1724910375201&start=0&limit=25&options=1&page=1"; window.open(url, '_blank'); } If you do it using this vulnerability, Keep in your mind, a security question !!! https://forum.scriptcase.net/t/using-same-app-in-two-browser-tabs-safe/26506 https://curity.io/resources/learn/spa-best-practices/ https://auth0.com/blog/application-session-management-best-practices/ use CORS: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS Quote
vbdavie Posted December 26, 2024 Author Posted December 26, 2024 Thanks for reply, when i go to amazon or other sites with shopping carts, i can have many tabs and they all seem to be the same session cause the shopping carts show the same info on all the tabs. Does that mean they are vulnerable too? Also, what is the worst that can happen with the vulnerability? Thannks DAvie Quote
irigsoft Posted December 26, 2024 Posted December 26, 2024 1 hour ago, vbdavie said: what is the worst that can happen with the vulnerability? https://www.google.com/search?q=Session+hijacking&sourceid=chrome&ie=UTF-8 This is an important question for your client and their security team. If losing any data through this vulnerability is insignificant to him, it won't be particularly important to you either. But you as a developer should keep that in mind. In the links above I have also listed a few for implementing good practices. Quote
Fred Montier Posted January 6, 2025 Posted January 6, 2025 On 12/25/2024 at 3:33 PM, vbdavie said: I've seen a lot of similar topics with no solution so far. My web app is robust and has tons of screens. There are a couple of screens that would be very handy to keep displayed at all times WHILE the user continues to operation the application. These 2 or 3 forms would clutter up and take took much space in a ONE-TAB application. If the form could be opened in a new tab or window, then the user will be able to see the big grid list AND will be able to fully see the application to use it. In prior posts, the answer was always NO, because a new tab would be a new session. Has anyone figured out how to do this OR is this a new feature that is coming soon? Thanks DAvie Hi there... this is not a missing feature but how you design your app. Not all works like that. A lot of website, if you reopen a new tab, the prior tab opened is "closed" or the new tab ask for a new login. Just try your bank and any service with very tight security. Amazon (sales, ok) , Amazon AWS with instances manager, nop ! The best example I can talk about is GMail: just watch the load of work and you can open many tabs as you want, temp messages, all sincronized in between, etc etc. But that is a high level pro. solution. I had one project where it would make sense the user open the same page again and again in new tabs. But he/she was just selecting itens (music karaoke to download, in this service). I can keep all sincronized since we used cookies and localstorage. But another process, that make no sense the user keeping open a new tab in the middle of transitory operation, like fulfilling a form. Major sites/services, when you open another tab from the same page, prior to open the new page, they had already saved your current data (aka, the kart), session data (works different then uniGUI since majority should be stateless and uniGUI stateful) but you can use the same approach. How they save data ? Using browser localstorage, using cookies, using ajax, there are many way to do that. When using unigui, it mantains integrated/sync, the state of your forms/page opened with the server and components binding to your DB. Unigui does that automatically. So, you got two tabs (pages) with the same form with pending updates. Which tab unigui server should give priority since now you got two sessions ? and anyway, what for that feature in THIS CASE? Same as opening the same program in desktop (client/server for instance). Hence, the configuration to end session. You can work that by code. But why do that ? If you dont need sync, and just showing static data, no problem using more than one session. Just use some tricks to do that using localstorage, cookies or ajax. When you open the same page in another tab, which one you want to do with the previous process ? Leave it ? Check if data was saved to the server, invalid the current transaction ? It is up to you. If you use Postman or just watch browser console, you will see that happening. Some services/website wont allow that like Binance but paypal , yes. So... its up to you decide what is practical to your visitor and service. By the way, https enabled, using encrypted cookies, short time life span to them, and NEVER accept injection via url.. no way you got hijacked. If so, you have your server and the client computer compromised log ago. Some website, "IRS" alike here in Brasil, opening new tab, will disconnect the previos opened one and give a warning. So, long ago they abandoned this idea. So, they changed to JAVA and now you download an APP running JAVA to fulfill fill the forms and hundreds of fields. They dont work like that since makes no sense open 2 or more tabs to declare and pay the same taxes, again and again, by tabs... just joking. Quote
Fred Montier Posted January 6, 2025 Posted January 6, 2025 On 12/26/2024 at 12:48 PM, vbdavie said: Thanks for reply, when i go to amazon or other sites with shopping carts, i can have many tabs and they all seem to be the same session cause the shopping carts show the same info on all the tabs. Does that mean they are vulnerable too? Also, what is the worst that can happen with the vulnerability? Thannks DAvie I think you´re taking sessions in two different context: A- PSA (like uniGUI) can have many sessions. But no need for that. B- DB Transactional session per user. That you should code for this need, of course. Your kart does not double by tabs opened, is the same kart ! Hence, you´re talking about B type of session, not uniGUI stateful server connection session. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.