Solved

Session object  of previously logined users is retrieved

Posted on 2004-04-19
9
825 Views
Last Modified: 2010-04-01
Hi,

I encountered a problem while testing my web application in the internet.
When user is authorized, the parameters of this user are stored in the
"UserInfo" object and put to the session, as the below:

                    /** LoginAction.java**/

  if (errorDetected == false){
           UserInfo userInfoBean = userDBBean.ParseUserInfo(username,
verify);
           userInfoBean.setU_KulAdiNosu(verify);
           HttpSession session = req.getSession();
           session.setAttribute("user", userInfoBean );
           logined = "true";
           session.setAttribute("logined", logined );
...
During the tests, when you login to the application, surprisibgly the
session of previously logined user is retrieved.

The UserInfo object is retreived later in jsp page :
UserInfo userInfoBean = ( UserInfo )session.getAttribute("user");

Can you give me a hint how to avoid this session problem?

Thank you in advance, for your help!
Ramil.
0
Comment
Question by:ramil600
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
  • +1
9 Comments
 
LVL 35

Expert Comment

by:TimYates
ID: 10857803
Are you using two browsers on the same machine?  They could be sharing the same session...

Try using 2 different machines, or start 2 instances of the browser

DO:  Load 2 seperate browsers
DONT:  Press Ctrl-N or "File->New Window" to get the second browser window...
0
 
LVL 7

Expert Comment

by:searlas
ID: 10857843
Additionally, you should probably have a log off action that calls session.invalidate() to log off a user (this may not be a requirement or even necessary depending on your application; but it's good to do security-wise, and to enable you to quickly test and develop without constantly being forced to start up a new browser whenever you want a new session.)

0
 

Author Comment

by:ramil600
ID: 10858090
I implement session.invalidate() in
logout process LogoutAction.java.

The problem is not so simple, when we test on our local net, there is no problem with sessions. But when the client firm tests in the internet, regardless is the machine same or not, some jsp pages, not all! , retrieve the session of the previous users!

It is really annoying problem! Have you any suggestions.
I am not expert but should we implement java.io.Serializable interface for UserInfo object which is put in the Session.

Another question what advantages will give us "serializing" the object?

Thank you in advance!
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 7

Accepted Solution

by:
searlas earned 125 total points
ID: 10858285
All objects added to a session should be Serializable.  The benefits of serialization become clear when you have a large number of users.  Instead of the server holding all users sessions in memory, it writes the currently inactive sessions to disk (this is called passivating.)  Then, when a user makes another request, the server may have to fetch the session contents from disk again.  To ensure this passivate/activate mechanism works correctly all the objects stored in the sessio should implement Serializable.

You say the client sees other users login data... is this fresh data, or is it stale?  i.e. could it be there proxy settings which are causing them to see other users pages?  I've encountered this problem before, and it requires either proxy configuration, using POST instead of GET (on forms), or adding a timestamp/unique-id parameter to all url's.  Hopefully you'll find proxy configuration to be sufficient.
0
 

Author Comment

by:ramil600
ID: 10858340
RE:You say the client sees other users login data... is this fresh data, or is it stale?  i.e. could it be there proxy settings which are causing them to see other users pages?  I've encountered this problem before, and it requires either proxy configuration, using POST instead of GET (on forms), or adding a timestamp/unique-id parameter to all url's.  Hopefully you'll find proxy configuration to be sufficient.

Thank you, searlas.
The data seems to be not very fresh,but it may also be the data from user that logined half a minute before. So I am not sure about this?
The application retrieves data from database, according to the object UserInfo stored in the session. (This object was not serializable).
Also you mentioned about proxy settings. How can it affect the sessions of different users?
0
 
LVL 7

Expert Comment

by:searlas
ID: 10858852
Proxies sometimes just cache based on URL, so if you had a page like:
http://foo.bar/shop/basket.jsp?command=add&productId=245

Once fetched this may be cached.  As the proxy has no knowledge of the purpose of this page (i.e. to add an item to a shopping basket) the next time it gets a request for the same URL, it returns the same HTML that was returned the first time.  This actually means the server is never contacted at all.

As I'm just talking about the proxy here, the server is not even aware that a second user requested the same URL, and so has no opportunity to produce different HTML using the correct UserInfo object...

Does that make any sense to you?

0
 

Expert Comment

by:hutkey
ID: 11037997
similar kind of problem is bugging me with my system.
i have used a jsp as controller, and i am not using any bean to store the user information. i store the information directly using session.setAttibute() method in login.jsp.
the logout.jsp has session.invalidate() method.
even i logout the attributes from previous session are used to process the current requests.

please help.

thanx in advance
0
 

Author Comment

by:ramil600
ID: 11038073
My solution was to implement the Serializable interface for objects put to the session.
Another reason may be proxy, which forwards the cached pages, you may use "cache-control"  header in your page.
0
 

Expert Comment

by:hutkey
ID: 11038541
currently, there is no proxy problem. the system is still in testing phase and is being tested on the standalone machine.

i used "cache-control" header,
implemented session.invalidated(),
deleted "work" directory,
reinstalled tomcat(5.0.18),

but no change.

help, thnx in adv.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This article describes how to import an Outlook PST file to Office 365 using a third party product to avoid Microsoft's Azure command line tool, saving you time.
Containers like Docker and Rocket are getting more popular every day. In my conversations with customers, they consistently ask what containers are and how they can use them in their environment. If you’re as curious as most people, read on. . .
In a recent question (https://www.experts-exchange.com/questions/29004105/Run-AutoHotkey-script-directly-from-Notepad.html) here at Experts Exchange, a member asked how to run an AutoHotkey script (.AHK) directly from Notepad++ (aka NPP). This video…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Suggested Courses

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question