Hi all, In preparing for the exam, I am a little unsure about the need to synchronize access to the user Session object in a servlet. I have been dealing with servlets for a while, and have never synchronized access to the session before, and never even thought about the issue until my preparations for the exam. So what I gather is this (and I'm hoping some of you can correct me or confirm I'm correct): Access to the session is inherently NOT thread-safe, as servlets are muti-threaded, and multiple threads (from multiple requests from the same user) may collide when manipulating the session attributes. Further, you may implement a session listener that manipulates the session attributes in some way, further requiring you to synchronize access to the session object. Implementing SingleThreadModel in your servlet does not help your situation, as the same user's session may be changed by different servlets requested by the same user at the same time (or the same servlet that the container holds a pool of references to). So the bottom line to me is that if you can be certain that no two threads will access the same session at the same time, there is no need for you to synchronize access. If, on the other hand, you have the possibility of a user hitting different servlets that access his session, or you have some external class that hsa access to the sessions on the server. Please let me know if I have this straight, or if I'm missing something. Thanks, Bill
Yes, you have to protect the Session attributes. Each application needs to answer these questions. Most examples I've seen use a Hashtable to store the sensitive information and gain this protection from Hashtables syncronization. You need to ensure your implementation takes in to account threading issues to ensure they are protected.
My understanding is session attributes are always thread safe, because each sesssion is only used by one client. Normally, there is only one instance of servlet. Many thread can access this servlet instance. So, Instance variable is not thread safe. However, the running thread can only access the session belong to this thread which is corresponding to this client. So, sesssion attribute is thread safe. Hashtable is another issue. For example, if you use a Hashtable as instance variable, it is still not thread safe. Say, there is a shopping cart servlet which has a Hashtable as instance to hold shopping item. There is only one instance of servlet. I put item A in Hashtable. You put item B in this Hashtable, this will cause problem. We end up buying A and B. Therefore, we need to put this Hastable in doPost() as a local variable. Local variable is threadsafe. In fact, we can use HashMap to replace this Hashtable. There is no need to worry that multiple threads will access this local variable.
Jun Hong<br />SCJP, SCJD, SCWCD, SCEA<br />IBM Certified Systems Expert(V4.0)
"My understanding is session attributes are always thread safe, because each sesssion is only used by one client. " Unfortunately there are many situations in which a single client browser may have multiple requests pending. Consider a simple page with multiple image requests for instance, or a page with multiple frames, or even a simple page where the user clicked a link twice by accident. Therefore, you must carefully analyze the situation when using or modifying objects stored in sessions. Bill ------------------ author of: