[thelist] JSP Sessions duplicate

Dan McCullough dan.mccullough at gmail.com
Thu Jun 9 09:47:21 CDT 2005


Are A and B present on the system at the same time?  If not then could
B be using A's computer and then trip a spot where A's old session id
is used through the use of address line prefil?  I say that senario is
high unlikely, but a consideration none the less.  Is this a
multi-tiered application with several websphere servers?  If so are
all servelets serialized?

Dont look past the config of the websphere app servers.

Honestly I would have to say that there is a small snippet of
non-thread safe code sitting around somewhere, and only gets tripped
in some odd seires of events done by the users.  Is there anyway you
can contact A and B and see if they can retrace their online
adventure?

On 6/9/05, Hassan Schroeder <hassan at webtuitive.com> wrote:
> VOLKAN ÖZÇELİK wrote:
> 
> > I have a peculiar problem: My sessions on the server mix at times.
> > We use JSP pages and IBM Wepshere Application Server as the
> > server-side technology.
> 
> I have no experience with Websphere, but...
> 
> > User A logs in -> a User object is created for him and stored in A's session.
> > User B logs in -> a User object is created for him and stored in B's session.
> 
> What authentication mechanism are you using? In other words, how
> is A or B's identity bound to a session?
> 
> > And here is the very rarely-occuring (but occuring anyways) situation:
> >
> > User B logs in, but when he requests the user Object from his session,
> > he sees that it is A's User object. (in other words he sees A's name
> > on the browser window)
> 
> > Here is my guess
> > - User A logs in, opens a session, gets a session id S.
> > - Somehow user A gets another session id T and continues communicating
> > the server via T.
> 
> That seems like it would require Websphere to be seriously broken. :-)
> 
> > - User B logs in,
> > - The server gives id S to user B, instead of creating a new session.
> > Now Both user A and user B are "user A" according to the server.
> 
> But is the Object in user B's session *the same* Object, or a copy?
> That would tell you a lot.
> 
> In any case, why don't you install an HttpSessionAttributeListener
> to log each session event?
> 
> For that matter, you should instrument the servlet that's doing
>  > User A logs in -> a User object is created for him and stored ...
> to log the event, the requester, and the sessionId associated with
> that action.
> 
> Otherwise, it's all speculation...
> 
> FWIW!
> --
> Hassan Schroeder ----------------------------- hassan at webtuitive.com
> Webtuitive Design ===  (+1) 408-938-0567   === http://webtuitive.com
> 
>                           dream.  code.
> 
> 
> --
> 
> * * Please support the community that supports you.  * *
> http://evolt.org/help_support_evolt/
> 
> For unsubscribe and other options, including the Tip Harvester
> and archives of thelist go to: http://lists.evolt.org
> Workers of the Web, evolt !
>


More information about the thelist mailing list