Sessions shared across tabs

It's important to understand that multiple tabs/instances of the same browser will all share the same server-side session when interacting with the same domain.

Server-side sessions can be implemented in two ways:

Applications should usually use the following logic to implement sessions: Each cookie is attached to a domain, and nothing else. So, every time the browser interacts with that domain, the cookie is sent to that domain's server. For a given browser, the same cookie is sent for every tab/instance that interacts with that domain.

As a consequence, with a given client and browser, there's no way to have multiple sessions at the same time.

If the user has multiple accounts, and logs in a second time with a different account, on a different tab, then they are actually overwriting the first login.

See Also :
Always maintain HttpSessions
Manage sessions closely
Beware of URL rewriting