I've always thought the HS3 web server had very poor session management, but I've ignored it to this point. Today I ran across something really odd (and insecure).

First, some background. I use multiple user accounts in HS3 to limit access to administrative/geeky/management devices and such. I also have auto-refresh enabled.

If I open 2 web instances a two users on two different computers, eventually after a refresh the second computer will change to the user of the first, and both computer will show the same user session (if one user requires a login, the second computer will display a login prompt and hang there). This seems like HS3 isn't managing the sessions separately within the web server.

If I open 2 tabs to HS3 device view as the same user, and change the view of the second to filter a different room, eventually after the refresh both tabs will show the same room view without any action on my part. Again, seems HS3 isn't managing 2 separate web sessions from the same computer as separate sessions.

Today I had something really odd happen. I started on one computer in the Manage Plug-Ins page, left that session up and moved to a second computer and opened the same page. I had installed the mcsMQTT plugin and opened the "MQTT Doc" link, which downloaded the pdf file locally on the first computer. Once I moved to the second computer I realized I needed the document there, so I opened the "MQTT Doc" link from the second computer and nothing happened. Being human, I did this 4 or 5 more times. Nothing. Finally in frustration I moved to the first computer to copy the downloaded file, and found that the first computer had actually downloaded the document 6 times. The time stamps on the documents clearly showed that these downloads were initiated by the second computer.

That seems like bizarre and insecure session management.

Homeseer, any comments on this behavior?