Sessions shared across tabs

It's important to understand that multiple tabs/instances of the same browser will usually share the same server-side session when interacting with the same domain.

Server-side sessions can be implemented in two ways:

Applications should usually use the following logic to implement sessions:

In practice, most browsers have cookies enabled, so most sessions are implemented by cookies. It's important to know that each cookie is attached to a domain, and nothing else. So, every time the browser interacts with that domain, the cookie is sent to that domain's server. In particular, for a given browser, the same cookie is sent for every tab/instance that interacts with that domain.

As a consequence, with a given client and browser (that has cookies enabled), there's no way to have multiple sessions at the same time. If the user has multiple accounts, and logs in a second time with a different account, on a different tab, then they are actually overwriting the first login. They have only one session, not two.

See Also :
Always maintain HttpSessions
Manage sessions closely
Beware of URL rewriting