Urgent help needed : IE 7 TABS
My website requires that users don’t open my website url in multiple tabs. Opening the url in new window is allowed.
My question is, is there a way in javascript or otherwise to prevent users from opening the same url in multiple tabs?
Answers
Thanks HTH and Lance for the responses. Our backend is designed to handle role based scenarios; however the issue here was to do with sharing sessions across tabs. The user might be in a specific page logged in under a certain customer under a certain role having variables information in sessions. Since these session variables are shared across tabs, users might open a new tab and choose a different customer and role and might come back to the first tab and hit a save button without realizing the fact that the session variables have changed in between.
Initially I thought of controlling the tabs and making sure that only one tab opens per website, but as you suggested no APIs to control tabs.
Finally, I am storing the session variables in vewstate so that they remain unique during postbacks. There was also a suggestion to create a unique guid and attach it with session variables and urls for every post back (similar to cookieless sessions). Storing the sessions in viewstate has thus solved the issue for now.
All Replies
- 1.) No. You can't stop the user.
2.) Why do you need to stop the user opening your site in multiple tabs? Is the issue that your user can't have 2 windows with the same session to your application? (if so, you need to adjust your application settings).
Tabs allow the user to work more efficiently with any site or application they interact with. It is the user's preference to use tabs how and when they want.
HTH - Hi HTH, Thanks for your reply. I do belive that we shouldnt stop the user, but if the user did open multiple tabs and changed roles without realizing that the other open tabs also share the same session, it could mess up the application. Also its not just roles but other features as well that depends on the session.
I was able to prevent users from opening a new tab by putting the code.
if(!Page.IsPostBack)
{
string framescript = "";
if((Session["LocalSecID"] != null) && (Session["LocalSecID"].ToString() == Session.SessionID.ToString()))
{
if(Session["Counter"] != null && Session["Counter"].ToString() == "1")
{
framescript = "<script language='javascript'>" + "window.open('Logon.aspx','BMS');</script>";
Page.RegisterStartupScript("Framescript", framescript);
Session["Counter"] = "0";
Response.Redirect("http://www.xyz.com/notallowed.aspx");
}
}
else
{
Session["LocalSecID"] = Session.SessionID;
Session["Counter"] = "1";
}
}
The code does block the user when he hits the new tab, BUT also kills the session in the already opened tab.
Instead of using server side code, is there a javascript code that can check for urls in all opened tabs and prevent users from opening new tabs? - I could use windows shell obj and iterate the ie collection
using SHDocVw;
private System.ComponentModel.Container components = null;
static private SHDocVw.ShellWindows shellWindows = new SHDocVw.ShellWindowsClass();
public Form1()
{
//
// Required for Windows Form Designer support
//
InitializeComponent();
foreach(SHDocVw.InternetExplorer ie in shellWindows)
{
MessageBox.Show("ie.Location:" + ie.LocationURL);
ie.BeforeNavigate2 += new
SHDocVw.DWebBrowserEvents2_BeforeNavigate2EventHandler(this.ie_BeforeNavigate2);
}
}
This would give me names of all open tab locations. But this only works for windows applications. I am yet to find a way to iterate the open tabs via web. Hi there,
As posted earlier in the thread, there's no public Javascript API for controlling the way the user opens windows; this was a security decision designed to prevent malicious behavior.
If you're worried about session cookies, you may wish to delete them directly or to warn users that they need to close their browser windows for the most security.
Hope this helps...
-- Lance
- Maybe I'm really confused here, but let me take a stab at it.
Your application displays/does stuff based on the logged in user's session. - fine
If the user logs in as say.. the "Mr. Johnny Admin" role, they can do anything...
if in one of the opened tabs, the user logs out, and logs in as "Mrs. Limited Smith" then they see a smaller sub-set of options and actions. - fine.
If they re-view the original tab, then it will still "show" the previous role's view... but as soon as they click on something....
a.) if the action was specific to the "Johnny Admin" user, then your BACKEND code will deny the action.
b.) if the action was not-specific to the "Johnny Admin" user, then the page will load normally, just showing the applicable data, that the new "Limited Smith" role allows.
The end user wouldn't expect any different behavior than the (a,b) scenarios above.
However if your application, does not handle the security in the BACKEND (item a), when the user tries to access actions/content not allowed by their role, then it is your BACKEND that needs fixing, not attempting to put a BANDAID on the browser UI.
This is important, one for security, and two, becauase presumably your application runs on many platforms/browsers, and attempting to invoke shell code won't work in other browsers, and increases your security-breach vectors in IE. Not to mention that I'm sure whatever method you try, to stop the user openning a tab, there will be a way that they find to do it. Thanks HTH and Lance for the responses. Our backend is designed to handle role based scenarios; however the issue here was to do with sharing sessions across tabs. The user might be in a specific page logged in under a certain customer under a certain role having variables information in sessions. Since these session variables are shared across tabs, users might open a new tab and choose a different customer and role and might come back to the first tab and hit a save button without realizing the fact that the session variables have changed in between.
Initially I thought of controlling the tabs and making sure that only one tab opens per website, but as you suggested no APIs to control tabs.
Finally, I am storing the session variables in vewstate so that they remain unique during postbacks. There was also a suggestion to create a unique guid and attach it with session variables and urls for every post back (similar to cookieless sessions). Storing the sessions in viewstate has thus solved the issue for now.
Arangil --
I have a very similar problem. In my case, I perform database processing, retrieval, and display based on a key identifier that I save in a session variable so that when I navigate from page to page I know what set of data I'm working with. Originally, it worked like a champ. My problem manifested when we went to IE7 at our location and people started using tabs. As an example, some folks opened three instances of my .net application -- one in each of three separate tabs. The problem is, only one key identifier is stored in the session variable and, of course, the three tabs are open under a single session. As a user navigates from tab to tab and starts re-calculating, unpredictable results occur because he thinks he is working with one set of data when the session variable may still contain the key identifier related to one of the other tabs -- yikes!
My solution to date has been to use 3 lines of vb.net code:
If
Session.IsNewSession.ToString() = False And Len(Request.ServerVariables("HTTP_REFERER")) < 1 Then AlertUser ("Message instructing them to close 2nd tab...") End If1. Session.IsNewSession.ToString() allows me to test for the session originally opening.
2. Len(Request.ServerVariables("HTTP_REFERER")) < 1 allows me to test for the page being opened by another page within my application.
If my application is opened in a second tab, I detect it and caution them to close the second tab. They are permitted to have multiple tabs open that contain urls to other sites, but I only want my url in one tab. If they want multiple instances of my app open, they can open other instances of IE.
My problem now is that there are other conditions in addition to multiple open tabs for which the preceeding if..then..else statement is true. For example, if I kill all the IE tabs that contain my app and then open it in a single new tab, I get the alert (but shouldn't).
The bottom line to all this is, do you have any suggestions on how to determine if a given page's url is already open in another IE tab? or, alternatively, determine when a tab with a specified url is closed?
Thanks in advance.....GaryAF
- Gary
thanks for your imput.. it looks like it is working in IE 7 for me. You may also want to let the users know that the code shoule be put in Page_init, not in Page_Load.
thanks
Natale Where are you putting this code? I've attempted to use this in my master page and any response.redirect causes this code to fail. can you provide some insight on this
thanks
