[thelist] JSP Sessions duplicate
Dan McCullough
dan.mccullough at gmail.com
Thu Jun 9 09:47:21 CDT 2005
Are A and B present on the system at the same time? If not then could
B be using A's computer and then trip a spot where A's old session id
is used through the use of address line prefil? I say that senario is
high unlikely, but a consideration none the less. Is this a
multi-tiered application with several websphere servers? If so are
all servelets serialized?
Dont look past the config of the websphere app servers.
Honestly I would have to say that there is a small snippet of
non-thread safe code sitting around somewhere, and only gets tripped
in some odd seires of events done by the users. Is there anyway you
can contact A and B and see if they can retrace their online
adventure?
On 6/9/05, Hassan Schroeder <hassan at webtuitive.com> wrote:
> VOLKAN ÖZÇELİK wrote:
>
> > I have a peculiar problem: My sessions on the server mix at times.
> > We use JSP pages and IBM Wepshere Application Server as the
> > server-side technology.
>
> I have no experience with Websphere, but...
>
> > User A logs in -> a User object is created for him and stored in A's session.
> > User B logs in -> a User object is created for him and stored in B's session.
>
> What authentication mechanism are you using? In other words, how
> is A or B's identity bound to a session?
>
> > And here is the very rarely-occuring (but occuring anyways) situation:
> >
> > User B logs in, but when he requests the user Object from his session,
> > he sees that it is A's User object. (in other words he sees A's name
> > on the browser window)
>
> > Here is my guess
> > - User A logs in, opens a session, gets a session id S.
> > - Somehow user A gets another session id T and continues communicating
> > the server via T.
>
> That seems like it would require Websphere to be seriously broken. :-)
>
> > - User B logs in,
> > - The server gives id S to user B, instead of creating a new session.
> > Now Both user A and user B are "user A" according to the server.
>
> But is the Object in user B's session *the same* Object, or a copy?
> That would tell you a lot.
>
> In any case, why don't you install an HttpSessionAttributeListener
> to log each session event?
>
> For that matter, you should instrument the servlet that's doing
> > User A logs in -> a User object is created for him and stored ...
> to log the event, the requester, and the sessionId associated with
> that action.
>
> Otherwise, it's all speculation...
>
> FWIW!
> --
> Hassan Schroeder ----------------------------- hassan at webtuitive.com
> Webtuitive Design === (+1) 408-938-0567 === http://webtuitive.com
>
> dream. code.
>
>
> --
>
> * * Please support the community that supports you. * *
> http://evolt.org/help_support_evolt/
>
> For unsubscribe and other options, including the Tip Harvester
> and archives of thelist go to: http://lists.evolt.org
> Workers of the Web, evolt !
>
More information about the thelist
mailing list