Solved

Session object  of previously logined users is retrieved

Posted on 2004-04-19
9
815 Views
Last Modified: 2010-04-01
Hi,

I encountered a problem while testing my web application in the internet.
When user is authorized, the parameters of this user are stored in the
"UserInfo" object and put to the session, as the below:

                    /** LoginAction.java**/

  if (errorDetected == false){
           UserInfo userInfoBean = userDBBean.ParseUserInfo(username,
verify);
           userInfoBean.setU_KulAdiNosu(verify);
           HttpSession session = req.getSession();
           session.setAttribute("user", userInfoBean );
           logined = "true";
           session.setAttribute("logined", logined );
...
During the tests, when you login to the application, surprisibgly the
session of previously logined user is retrieved.

The UserInfo object is retreived later in jsp page :
UserInfo userInfoBean = ( UserInfo )session.getAttribute("user");

Can you give me a hint how to avoid this session problem?

Thank you in advance, for your help!
Ramil.
0
Comment
Question by:ramil600
  • 3
  • 3
  • 2
  • +1
9 Comments
 
LVL 35

Expert Comment

by:TimYates
ID: 10857803
Are you using two browsers on the same machine?  They could be sharing the same session...

Try using 2 different machines, or start 2 instances of the browser

DO:  Load 2 seperate browsers
DONT:  Press Ctrl-N or "File->New Window" to get the second browser window...
0
 
LVL 7

Expert Comment

by:searlas
ID: 10857843
Additionally, you should probably have a log off action that calls session.invalidate() to log off a user (this may not be a requirement or even necessary depending on your application; but it's good to do security-wise, and to enable you to quickly test and develop without constantly being forced to start up a new browser whenever you want a new session.)

0
 

Author Comment

by:ramil600
ID: 10858090
I implement session.invalidate() in
logout process LogoutAction.java.

The problem is not so simple, when we test on our local net, there is no problem with sessions. But when the client firm tests in the internet, regardless is the machine same or not, some jsp pages, not all! , retrieve the session of the previous users!

It is really annoying problem! Have you any suggestions.
I am not expert but should we implement java.io.Serializable interface for UserInfo object which is put in the Session.

Another question what advantages will give us "serializing" the object?

Thank you in advance!
0
 
LVL 7

Accepted Solution

by:
searlas earned 125 total points
ID: 10858285
All objects added to a session should be Serializable.  The benefits of serialization become clear when you have a large number of users.  Instead of the server holding all users sessions in memory, it writes the currently inactive sessions to disk (this is called passivating.)  Then, when a user makes another request, the server may have to fetch the session contents from disk again.  To ensure this passivate/activate mechanism works correctly all the objects stored in the sessio should implement Serializable.

You say the client sees other users login data... is this fresh data, or is it stale?  i.e. could it be there proxy settings which are causing them to see other users pages?  I've encountered this problem before, and it requires either proxy configuration, using POST instead of GET (on forms), or adding a timestamp/unique-id parameter to all url's.  Hopefully you'll find proxy configuration to be sufficient.
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:ramil600
ID: 10858340
RE:You say the client sees other users login data... is this fresh data, or is it stale?  i.e. could it be there proxy settings which are causing them to see other users pages?  I've encountered this problem before, and it requires either proxy configuration, using POST instead of GET (on forms), or adding a timestamp/unique-id parameter to all url's.  Hopefully you'll find proxy configuration to be sufficient.

Thank you, searlas.
The data seems to be not very fresh,but it may also be the data from user that logined half a minute before. So I am not sure about this?
The application retrieves data from database, according to the object UserInfo stored in the session. (This object was not serializable).
Also you mentioned about proxy settings. How can it affect the sessions of different users?
0
 
LVL 7

Expert Comment

by:searlas
ID: 10858852
Proxies sometimes just cache based on URL, so if you had a page like:
http://foo.bar/shop/basket.jsp?command=add&productId=245

Once fetched this may be cached.  As the proxy has no knowledge of the purpose of this page (i.e. to add an item to a shopping basket) the next time it gets a request for the same URL, it returns the same HTML that was returned the first time.  This actually means the server is never contacted at all.

As I'm just talking about the proxy here, the server is not even aware that a second user requested the same URL, and so has no opportunity to produce different HTML using the correct UserInfo object...

Does that make any sense to you?

0
 

Expert Comment

by:hutkey
ID: 11037997
similar kind of problem is bugging me with my system.
i have used a jsp as controller, and i am not using any bean to store the user information. i store the information directly using session.setAttibute() method in login.jsp.
the logout.jsp has session.invalidate() method.
even i logout the attributes from previous session are used to process the current requests.

please help.

thanx in advance
0
 

Author Comment

by:ramil600
ID: 11038073
My solution was to implement the Serializable interface for objects put to the session.
Another reason may be proxy, which forwards the cached pages, you may use "cache-control"  header in your page.
0
 

Expert Comment

by:hutkey
ID: 11038541
currently, there is no proxy problem. the system is still in testing phase and is being tested on the standalone machine.

i used "cache-control" header,
implemented session.invalidated(),
deleted "work" directory,
reinstalled tomcat(5.0.18),

but no change.

help, thnx in adv.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

A safe way to clean winsxs folder from your windows server 2008 R2 editions
In  today’s increasingly digital world, managed service providers (MSPs) fight for their customers’ attention, looking for ways to make them stay and purchase more services. One way to encourage that behavior is to develop a dependable brand of prod…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now