We’ve implemented something similar using the Presence approach, which works but indeed has that limitation. Using the csrf token as the key helps but still seems to still be shared between tabs, so still looking for a better way…
Ahh, that’s probably because Phoenix by default uses get_csrf_token/0 from Plug.CSRFProtection which returns an existing token cached in Plug.Session and sessions are generally shared across tabs in the same browser.
Hmm, first thought was that sounds neat. Moments later, another thought popped up about whether that could potentially introduce some security vulnerabilites. What if a malicious user manually intercepts and pushs a targeted event that, if not properly validated on the server, gives them some level of insight into or access to another LiveView? ¯\_(ツ)_/¯
Thanks @codeanpeace and @olivermt for your suggestions. Using Phoenix.LiveView.get_connect_params(socket)["_csrf_token"] in the child LiveView gives me the same token as used to connect the websocket which seems to not be reused between tabs so that solves it