[thelist] JSP Sessions duplicate

Hassan Schroeder hassan at webtuitive.com
Thu Jun 9 08:53:39 CDT 2005


VOLKAN ÖZÇELİK wrote:

> I have a peculiar problem: My sessions on the server mix at times.
> We use JSP pages and IBM Wepshere Application Server as the
> server-side technology.

I have no experience with Websphere, but...

> User A logs in -> a User object is created for him and stored in A's session.
> User B logs in -> a User object is created for him and stored in B's session.

What authentication mechanism are you using? In other words, how
is A or B's identity bound to a session?

> And here is the very rarely-occuring (but occuring anyways) situation:
> 
> User B logs in, but when he requests the user Object from his session,
> he sees that it is A's User object. (in other words he sees A's name
> on the browser window)

> Here is my guess 
> - User A logs in, opens a session, gets a session id S.
> - Somehow user A gets another session id T and continues communicating
> the server via T.

That seems like it would require Websphere to be seriously broken. :-)

> - User B logs in,
> - The server gives id S to user B, instead of creating a new session.
> Now Both user A and user B are "user A" according to the server.

But is the Object in user B's session *the same* Object, or a copy?
That would tell you a lot.

In any case, why don't you install an HttpSessionAttributeListener
to log each session event?

For that matter, you should instrument the servlet that's doing
 > User A logs in -> a User object is created for him and stored ...
to log the event, the requester, and the sessionId associated with
that action.

Otherwise, it's all speculation...

FWIW!
-- 
Hassan Schroeder ----------------------------- hassan at webtuitive.com
Webtuitive Design ===  (+1) 408-938-0567   === http://webtuitive.com

                           dream.  code.




More information about the thelist mailing list