Require that a "JID" be specified with keepalive. updates #339

converse.js

@@ -5326,13 +5326,17 @@
                     }
                 }
                 if (this.keepalive) {
+                    if (!this.jid) {
+                        throw("When using 'keepalive', you must supply the JID of the current user. ");
+                    }
                     rid = this.session.get('rid');
                     sid = this.session.get('sid');
                     jid = this.session.get('jid');
-                    if (rid && jid && sid) {
+                    if (rid && sid && jid && Strophe.getBareJidFromJid(jid) === Strophe.getBareJidFromJid(this.jid)) {
                         // The RID needs to be increased with each request.
                         this.session.save({rid: rid});
                         this.connection.attach(jid, sid, rid, this.onConnect);
+
                     } else if (this.prebind) {
                         if (this.prebind_url) {
                             $.ajax({

docs/source/configuration.rst

@@ -162,6 +162,16 @@ Default: ``e.g. conversejs.org``
 
 The placeholder text shown in the domain input on the registration form.
 
+jid
+---
+
+The Jabber ID or "JID" of the current user. The JID uniquely identifies a user
+on the XMPP network. It looks like an email address, but it's used for instant
+messaging instead.
+
+This value needs to be provided when using the :ref:`keepalive` option.
+
+
 .. _`keepalive`:
 
 keepalive
@@ -172,6 +182,12 @@ Default:    ``true``
 Determines whether Converse.js will maintain the chat session across page
 loads.
 
+When using keepalive, you will have to provide the `jid`_ of the current user
+to ensure that a cached session is only resumed if it belongs to the current
+user.
+
+This setting should also be used in conjunction with :ref:`prebind` and :ref:`keepalive`.
+
 See also:
 
 * :ref:`session-support`
@@ -310,13 +326,14 @@ There are two complementary configuration settings to ``prebind``.
 They are :ref:`keepalive` and :ref:`prebind_url`.
 
 ``keepalive`` can be used keep the session alive without having to pass in
-new tokens to ``converse.initialize`` every time you reload the page. This
-removes the need to set up a new BOSH session every time a page loads.
+new RID and SID tokens to ``converse.initialize`` every time you reload the page.
+This removes the need to set up a new BOSH session every time a page loads.
+You do however still need to supply the user's JID so that converse.js can be
+sure that the session it's resuming is for the right user.
 
 ``prebind_url`` lets you specify a URL which converse.js will call whenever a
 new BOSH session needs to be set up.
 
-
 Here's an example of converse.js being initialized with these three options:
 
 .. code-block:: javascript
@@ -324,6 +341,7 @@ Here's an example of converse.js being initialized with these three options:
     converse.initialize({
         bosh_service_url: 'https://bind.example.com',
         keepalive: true,
+        jid: me@example.com,
         prebind: true,
         prebind_url: 'http://example.com/api/prebind',
         allow_logout: false
@@ -333,7 +351,7 @@ Here's an example of converse.js being initialized with these three options:
     simplifies the code needed to set up and maintain prebinded sessions.
 
     When using ``prebind_url`` and ``keepalive``, you don't need to manually pass in
-    the RID, SID and JID tokens anymore.
+    the RID, SID tokens anymore, but you still need to provide the JID.
 
 
 .. _`prebind_url`: