Solved

Session object  of previously logined users is retrieved

Posted on 2004-04-19
9
828 Views
Last Modified: 2010-04-01
Hi,

I encountered a problem while testing my web application in the internet.
When user is authorized, the parameters of this user are stored in the
"UserInfo" object and put to the session, as the below:

                    /** LoginAction.java**/

  if (errorDetected == false){
           UserInfo userInfoBean = userDBBean.ParseUserInfo(username,
verify);
           userInfoBean.setU_KulAdiNosu(verify);
           HttpSession session = req.getSession();
           session.setAttribute("user", userInfoBean );
           logined = "true";
           session.setAttribute("logined", logined );
...
During the tests, when you login to the application, surprisibgly the
session of previously logined user is retrieved.

The UserInfo object is retreived later in jsp page :
UserInfo userInfoBean = ( UserInfo )session.getAttribute("user");

Can you give me a hint how to avoid this session problem?

Thank you in advance, for your help!
Ramil.
0
Comment
Question by:ramil600
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
  • +1
9 Comments
 
LVL 35

Expert Comment

by:TimYates
ID: 10857803
Are you using two browsers on the same machine?  They could be sharing the same session...

Try using 2 different machines, or start 2 instances of the browser

DO:  Load 2 seperate browsers
DONT:  Press Ctrl-N or "File->New Window" to get the second browser window...
0
 
LVL 7

Expert Comment

by:searlas
ID: 10857843
Additionally, you should probably have a log off action that calls session.invalidate() to log off a user (this may not be a requirement or even necessary depending on your application; but it's good to do security-wise, and to enable you to quickly test and develop without constantly being forced to start up a new browser whenever you want a new session.)

0
 

Author Comment

by:ramil600
ID: 10858090
I implement session.invalidate() in
logout process LogoutAction.java.

The problem is not so simple, when we test on our local net, there is no problem with sessions. But when the client firm tests in the internet, regardless is the machine same or not, some jsp pages, not all! , retrieve the session of the previous users!

It is really annoying problem! Have you any suggestions.
I am not expert but should we implement java.io.Serializable interface for UserInfo object which is put in the Session.

Another question what advantages will give us "serializing" the object?

Thank you in advance!
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 7

Accepted Solution

by:
searlas earned 125 total points
ID: 10858285
All objects added to a session should be Serializable.  The benefits of serialization become clear when you have a large number of users.  Instead of the server holding all users sessions in memory, it writes the currently inactive sessions to disk (this is called passivating.)  Then, when a user makes another request, the server may have to fetch the session contents from disk again.  To ensure this passivate/activate mechanism works correctly all the objects stored in the sessio should implement Serializable.

You say the client sees other users login data... is this fresh data, or is it stale?  i.e. could it be there proxy settings which are causing them to see other users pages?  I've encountered this problem before, and it requires either proxy configuration, using POST instead of GET (on forms), or adding a timestamp/unique-id parameter to all url's.  Hopefully you'll find proxy configuration to be sufficient.
0
 

Author Comment

by:ramil600
ID: 10858340
RE:You say the client sees other users login data... is this fresh data, or is it stale?  i.e. could it be there proxy settings which are causing them to see other users pages?  I've encountered this problem before, and it requires either proxy configuration, using POST instead of GET (on forms), or adding a timestamp/unique-id parameter to all url's.  Hopefully you'll find proxy configuration to be sufficient.

Thank you, searlas.
The data seems to be not very fresh,but it may also be the data from user that logined half a minute before. So I am not sure about this?
The application retrieves data from database, according to the object UserInfo stored in the session. (This object was not serializable).
Also you mentioned about proxy settings. How can it affect the sessions of different users?
0
 
LVL 7

Expert Comment

by:searlas
ID: 10858852
Proxies sometimes just cache based on URL, so if you had a page like:
http://foo.bar/shop/basket.jsp?command=add&productId=245

Once fetched this may be cached.  As the proxy has no knowledge of the purpose of this page (i.e. to add an item to a shopping basket) the next time it gets a request for the same URL, it returns the same HTML that was returned the first time.  This actually means the server is never contacted at all.

As I'm just talking about the proxy here, the server is not even aware that a second user requested the same URL, and so has no opportunity to produce different HTML using the correct UserInfo object...

Does that make any sense to you?

0
 

Expert Comment

by:hutkey
ID: 11037997
similar kind of problem is bugging me with my system.
i have used a jsp as controller, and i am not using any bean to store the user information. i store the information directly using session.setAttibute() method in login.jsp.
the logout.jsp has session.invalidate() method.
even i logout the attributes from previous session are used to process the current requests.

please help.

thanx in advance
0
 

Author Comment

by:ramil600
ID: 11038073
My solution was to implement the Serializable interface for objects put to the session.
Another reason may be proxy, which forwards the cached pages, you may use "cache-control"  header in your page.
0
 

Expert Comment

by:hutkey
ID: 11038541
currently, there is no proxy problem. the system is still in testing phase and is being tested on the standalone machine.

i used "cache-control" header,
implemented session.invalidated(),
deleted "work" directory,
reinstalled tomcat(5.0.18),

but no change.

help, thnx in adv.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are times when I have encountered the need to decompress a response from a PHP request. This is how it's done, but you must have control of the request and you can set the Accept-Encoding header.
If you need to forecast numbers -- typically for finance -- the Windows and Mac versions of Excel 2016 have a basket of tools to get the job done.
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…

631 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question