[thelist] JSP Sessions duplicate
Hassan Schroeder
hassan at webtuitive.com
Thu Jun 9 08:53:39 CDT 2005
VOLKAN ÖZÇELİK wrote:
> I have a peculiar problem: My sessions on the server mix at times.
> We use JSP pages and IBM Wepshere Application Server as the
> server-side technology.
I have no experience with Websphere, but...
> User A logs in -> a User object is created for him and stored in A's session.
> User B logs in -> a User object is created for him and stored in B's session.
What authentication mechanism are you using? In other words, how
is A or B's identity bound to a session?
> And here is the very rarely-occuring (but occuring anyways) situation:
>
> User B logs in, but when he requests the user Object from his session,
> he sees that it is A's User object. (in other words he sees A's name
> on the browser window)
> Here is my guess
> - User A logs in, opens a session, gets a session id S.
> - Somehow user A gets another session id T and continues communicating
> the server via T.
That seems like it would require Websphere to be seriously broken. :-)
> - User B logs in,
> - The server gives id S to user B, instead of creating a new session.
> Now Both user A and user B are "user A" according to the server.
But is the Object in user B's session *the same* Object, or a copy?
That would tell you a lot.
In any case, why don't you install an HttpSessionAttributeListener
to log each session event?
For that matter, you should instrument the servlet that's doing
> User A logs in -> a User object is created for him and stored ...
to log the event, the requester, and the sessionId associated with
that action.
Otherwise, it's all speculation...
FWIW!
--
Hassan Schroeder ----------------------------- hassan at webtuitive.com
Webtuitive Design === (+1) 408-938-0567 === http://webtuitive.com
dream. code.
More information about the thelist
mailing list