[thelist] JSP Sessions duplicate

VOLKAN ÖZÇELİK volkan.ozcelik at gmail.com
Thu Jun 9 03:13:45 CDT 2005

Hi all !

I have a peculiar problem: My sessions on the server mix at times.
We use JSP pages and IBM Wepshere Application Server as the
server-side technology.

Let me explain with a scenario:

User A logs in -> a User object is created for him and stored in A's session.
User B logs in -> a User object is created for him and stored in B's session.

this is the normal case as you may guess.

And here is the very rarely-occuring (but occuring anyways) situation:

User B logs in, but when he requests the user Object from his session,
he sees that it is A's User object. (in other words he sees A's name
on the browser window)

(This is not an issue of client-side caching. All the server logs and
database logs indicate that User B is doing things under the name of
user A. This gives A's permissions and priviliges to B, which he may
not have.)

Here is my guess 
- User A logs in, opens a session, gets a session id S.
- Somehow user A gets another session id T and continues communicating
the server via T.

- User B logs in,
- The server gives id S to user B, instead of creating a new session.
Now Both user A and user B are "user A" according to the server.

Please note that this is only my guess and may not reflect the real situation.

Have you ever coincided with something similar? 
What may be the cause of it? 
Do you have any remedies?



More information about the thelist mailing list