Expiring Today—Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Session object  of previously logined users is retrieved

Posted on 2004-04-19
9
Medium Priority
?
831 Views
Last Modified: 2010-04-01
Hi,

I encountered a problem while testing my web application in the internet.
When user is authorized, the parameters of this user are stored in the
"UserInfo" object and put to the session, as the below:

                    /** LoginAction.java**/

  if (errorDetected == false){
           UserInfo userInfoBean = userDBBean.ParseUserInfo(username,
verify);
           userInfoBean.setU_KulAdiNosu(verify);
           HttpSession session = req.getSession();
           session.setAttribute("user", userInfoBean );
           logined = "true";
           session.setAttribute("logined", logined );
...
During the tests, when you login to the application, surprisibgly the
session of previously logined user is retrieved.

The UserInfo object is retreived later in jsp page :
UserInfo userInfoBean = ( UserInfo )session.getAttribute("user");

Can you give me a hint how to avoid this session problem?

Thank you in advance, for your help!
Ramil.
0
Comment
Question by:ramil600
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
  • +1
9 Comments
 
LVL 35

Expert Comment

by:TimYates
ID: 10857803
Are you using two browsers on the same machine?  They could be sharing the same session...

Try using 2 different machines, or start 2 instances of the browser

DO:  Load 2 seperate browsers
DONT:  Press Ctrl-N or "File->New Window" to get the second browser window...
0
 
LVL 7

Expert Comment

by:searlas
ID: 10857843
Additionally, you should probably have a log off action that calls session.invalidate() to log off a user (this may not be a requirement or even necessary depending on your application; but it's good to do security-wise, and to enable you to quickly test and develop without constantly being forced to start up a new browser whenever you want a new session.)

0
 

Author Comment

by:ramil600
ID: 10858090
I implement session.invalidate() in
logout process LogoutAction.java.

The problem is not so simple, when we test on our local net, there is no problem with sessions. But when the client firm tests in the internet, regardless is the machine same or not, some jsp pages, not all! , retrieve the session of the previous users!

It is really annoying problem! Have you any suggestions.
I am not expert but should we implement java.io.Serializable interface for UserInfo object which is put in the Session.

Another question what advantages will give us "serializing" the object?

Thank you in advance!
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 7

Accepted Solution

by:
searlas earned 375 total points
ID: 10858285
All objects added to a session should be Serializable.  The benefits of serialization become clear when you have a large number of users.  Instead of the server holding all users sessions in memory, it writes the currently inactive sessions to disk (this is called passivating.)  Then, when a user makes another request, the server may have to fetch the session contents from disk again.  To ensure this passivate/activate mechanism works correctly all the objects stored in the sessio should implement Serializable.

You say the client sees other users login data... is this fresh data, or is it stale?  i.e. could it be there proxy settings which are causing them to see other users pages?  I've encountered this problem before, and it requires either proxy configuration, using POST instead of GET (on forms), or adding a timestamp/unique-id parameter to all url's.  Hopefully you'll find proxy configuration to be sufficient.
0
 

Author Comment

by:ramil600
ID: 10858340
RE:You say the client sees other users login data... is this fresh data, or is it stale?  i.e. could it be there proxy settings which are causing them to see other users pages?  I've encountered this problem before, and it requires either proxy configuration, using POST instead of GET (on forms), or adding a timestamp/unique-id parameter to all url's.  Hopefully you'll find proxy configuration to be sufficient.

Thank you, searlas.
The data seems to be not very fresh,but it may also be the data from user that logined half a minute before. So I am not sure about this?
The application retrieves data from database, according to the object UserInfo stored in the session. (This object was not serializable).
Also you mentioned about proxy settings. How can it affect the sessions of different users?
0
 
LVL 7

Expert Comment

by:searlas
ID: 10858852
Proxies sometimes just cache based on URL, so if you had a page like:
http://foo.bar/shop/basket.jsp?command=add&productId=245

Once fetched this may be cached.  As the proxy has no knowledge of the purpose of this page (i.e. to add an item to a shopping basket) the next time it gets a request for the same URL, it returns the same HTML that was returned the first time.  This actually means the server is never contacted at all.

As I'm just talking about the proxy here, the server is not even aware that a second user requested the same URL, and so has no opportunity to produce different HTML using the correct UserInfo object...

Does that make any sense to you?

0
 

Expert Comment

by:hutkey
ID: 11037997
similar kind of problem is bugging me with my system.
i have used a jsp as controller, and i am not using any bean to store the user information. i store the information directly using session.setAttibute() method in login.jsp.
the logout.jsp has session.invalidate() method.
even i logout the attributes from previous session are used to process the current requests.

please help.

thanx in advance
0
 

Author Comment

by:ramil600
ID: 11038073
My solution was to implement the Serializable interface for objects put to the session.
Another reason may be proxy, which forwards the cached pages, you may use "cache-control"  header in your page.
0
 

Expert Comment

by:hutkey
ID: 11038541
currently, there is no proxy problem. the system is still in testing phase and is being tested on the standalone machine.

i used "cache-control" header,
implemented session.invalidated(),
deleted "work" directory,
reinstalled tomcat(5.0.18),

but no change.

help, thnx in adv.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
By default Outlook 2016 displays only one time zone in the Calendar. The following article explains how to display two time zones in one calendar view.
Video by: ITPro.TV
In this episode Don builds upon the troubleshooting techniques by demonstrating how to properly monitor a vSphere deployment to detect problems before they occur. He begins the show using tools found within the vSphere suite as ends the show demonst…
In this video, Percona Solution Engineer Rick Golba discuss how (and why) you implement high availability in a database environment. To discuss how Percona Consulting can help with your design and architecture needs for your database and infrastr…

718 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question