Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 833
  • Last Modified:

Session object of previously logined users is retrieved

Hi,

I encountered a problem while testing my web application in the internet.
When user is authorized, the parameters of this user are stored in the
"UserInfo" object and put to the session, as the below:

                    /** LoginAction.java**/

  if (errorDetected == false){
           UserInfo userInfoBean = userDBBean.ParseUserInfo(username,
verify);
           userInfoBean.setU_KulAdiNosu(verify);
           HttpSession session = req.getSession();
           session.setAttribute("user", userInfoBean );
           logined = "true";
           session.setAttribute("logined", logined );
...
During the tests, when you login to the application, surprisibgly the
session of previously logined user is retrieved.

The UserInfo object is retreived later in jsp page :
UserInfo userInfoBean = ( UserInfo )session.getAttribute("user");

Can you give me a hint how to avoid this session problem?

Thank you in advance, for your help!
Ramil.
0
ramil600
Asked:
ramil600
  • 3
  • 3
  • 2
  • +1
1 Solution
 
TimYatesCommented:
Are you using two browsers on the same machine?  They could be sharing the same session...

Try using 2 different machines, or start 2 instances of the browser

DO:  Load 2 seperate browsers
DONT:  Press Ctrl-N or "File->New Window" to get the second browser window...
0
 
searlasCommented:
Additionally, you should probably have a log off action that calls session.invalidate() to log off a user (this may not be a requirement or even necessary depending on your application; but it's good to do security-wise, and to enable you to quickly test and develop without constantly being forced to start up a new browser whenever you want a new session.)

0
 
ramil600Author Commented:
I implement session.invalidate() in
logout process LogoutAction.java.

The problem is not so simple, when we test on our local net, there is no problem with sessions. But when the client firm tests in the internet, regardless is the machine same or not, some jsp pages, not all! , retrieve the session of the previous users!

It is really annoying problem! Have you any suggestions.
I am not expert but should we implement java.io.Serializable interface for UserInfo object which is put in the Session.

Another question what advantages will give us "serializing" the object?

Thank you in advance!
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
searlasCommented:
All objects added to a session should be Serializable.  The benefits of serialization become clear when you have a large number of users.  Instead of the server holding all users sessions in memory, it writes the currently inactive sessions to disk (this is called passivating.)  Then, when a user makes another request, the server may have to fetch the session contents from disk again.  To ensure this passivate/activate mechanism works correctly all the objects stored in the sessio should implement Serializable.

You say the client sees other users login data... is this fresh data, or is it stale?  i.e. could it be there proxy settings which are causing them to see other users pages?  I've encountered this problem before, and it requires either proxy configuration, using POST instead of GET (on forms), or adding a timestamp/unique-id parameter to all url's.  Hopefully you'll find proxy configuration to be sufficient.
0
 
ramil600Author Commented:
RE:You say the client sees other users login data... is this fresh data, or is it stale?  i.e. could it be there proxy settings which are causing them to see other users pages?  I've encountered this problem before, and it requires either proxy configuration, using POST instead of GET (on forms), or adding a timestamp/unique-id parameter to all url's.  Hopefully you'll find proxy configuration to be sufficient.

Thank you, searlas.
The data seems to be not very fresh,but it may also be the data from user that logined half a minute before. So I am not sure about this?
The application retrieves data from database, according to the object UserInfo stored in the session. (This object was not serializable).
Also you mentioned about proxy settings. How can it affect the sessions of different users?
0
 
searlasCommented:
Proxies sometimes just cache based on URL, so if you had a page like:
http://foo.bar/shop/basket.jsp?command=add&productId=245

Once fetched this may be cached.  As the proxy has no knowledge of the purpose of this page (i.e. to add an item to a shopping basket) the next time it gets a request for the same URL, it returns the same HTML that was returned the first time.  This actually means the server is never contacted at all.

As I'm just talking about the proxy here, the server is not even aware that a second user requested the same URL, and so has no opportunity to produce different HTML using the correct UserInfo object...

Does that make any sense to you?

0
 
hutkeyCommented:
similar kind of problem is bugging me with my system.
i have used a jsp as controller, and i am not using any bean to store the user information. i store the information directly using session.setAttibute() method in login.jsp.
the logout.jsp has session.invalidate() method.
even i logout the attributes from previous session are used to process the current requests.

please help.

thanx in advance
0
 
ramil600Author Commented:
My solution was to implement the Serializable interface for objects put to the session.
Another reason may be proxy, which forwards the cached pages, you may use "cache-control"  header in your page.
0
 
hutkeyCommented:
currently, there is no proxy problem. the system is still in testing phase and is being tested on the standalone machine.

i used "cache-control" header,
implemented session.invalidated(),
deleted "work" directory,
reinstalled tomcat(5.0.18),

but no change.

help, thnx in adv.
0

Featured Post

Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

  • 3
  • 3
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now