File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes JSF and the fly likes HttpSessions getting mixed up Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Java » JSF
Bookmark "HttpSessions getting mixed up" Watch "HttpSessions getting mixed up" New topic
Author

HttpSessions getting mixed up

Sushma Sharma
Ranch Hand

Joined: Jun 02, 2005
Posts: 139
Hi,

I am having trouble with HttpSession. here is whats happening
When a user logs into the site, I get his name and other information from the database and store it in the session. now user1 logs into the site and it shows that he actually logged in as someone else(user2). The user2 has never used user1's machine and they are sitting in different countries/time zones, so it can not be a cookie issue. So the question is, why is one user's session getting mixed up with the user user?
I am using MyFaces1.1 with BEA Weblogic8.1 sp6 server. Can be there be a bug in the session id generation algorithm, so its generating same session id and thats why it mixes sessions?
Any help is appreciated.

Sushma
[ August 01, 2007: Message edited by: Bear Bibeault ]
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41155
    
  45
Any chance that some of the code is not thread-safe, and that this is a concurrency problem?


Ping & DNS - my free Android networking tools app
Sushma Sharma
Ranch Hand

Joined: Jun 02, 2005
Posts: 139
I don't know actually... I know that session attributes are not thread safe.. but, I was under impression that two threads working for the same session will mess up attributes for that session, not for other sessions... how do I make sure that its the multithreading problem?
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41155
    
  45
The crucial question as to whether there are concurrency issues is if there is shared mutable data - any objects (whether in the session or not makes no difference) that are shared between threads, e.g. servlet instance variables, session attributes, web context attributes etc. If any of these might change their value over time, access to it may have to be synchronized.
Sushma Sharma
Ranch Hand

Joined: Jun 02, 2005
Posts: 139
as I wrote earlier, the user information is stored in the Session. and there are other managed beans which access this attribute. But once set, this attribute is only retrieved, never set again as I always check for the attribute in the session and pick it from there. and its set from one bean only.
[ August 01, 2007: Message edited by: Sushma Sharma ]
Sushma Sharma
Ranch Hand

Joined: Jun 02, 2005
Posts: 139
when it comes to concurrency and multithreading issues, I have no confidence. Can somebody help me please?
Thanks in advance..
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41155
    
  45
As I said, session attributes are not the only possible sources of multi-threading issues. The same applies to web context attributes and servlet instance variables. How are you handling those?
Sushma Sharma
Ranch Hand

Joined: Jun 02, 2005
Posts: 139
I am not using servletContext attributes and I am not using servlets. and I haven't used static variables.
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 15962
    
  19

Originally posted by Sushma Sharma:
I am not using servletContext attributes and I am not using servlets. and I haven't used static variables.


You don't have to be using static variables. One of the worst atrocities I ever saw was when someone was storing JDBC Connection objects in member variables in all his Struts Action Processors.

Fortunately, JSF makes that sort of behaviour a little less likely.


Customer surveys are for companies who didn't pay proper attention to begin with.
Sushma Sharma
Ranch Hand

Joined: Jun 02, 2005
Posts: 139
I am not storing JDBC connections or anything like that as member variables. Everytime, I retrieve information from the database, I call a method of DAO. this method creates a connection and returns me the results. and all the variables are local in the method, so it shouldn't be affected by concurrent access, right?
Sushma Sharma
Ranch Hand

Joined: Jun 02, 2005
Posts: 139
here is an update. Actually, only the user who logs in, his information is getting messed up sometimes.. all the other info saved in the session is always correct.
Tony McClay
Ranch Hand

Joined: May 22, 2003
Posts: 33
Sorry that the answers I have seen have not answered your question because this should not happen in this fashion. The lowest lying fruit is Concurrency issues, but it sounds like you are sure that is not the case.

Here are a few suggestions.

1.
At every point of the login process for both users, write to the log file the information and the jsessionid, so that you are sure what is happening.

2.
If you are unable to track down where this is happening, I suggest you code a HttpSessionAttributeListener.

Actually HTTPSessionAttributeListener and/or HTTPSessionBindingListener. The BindingListener will tell you when these values are bound to the session, and the Attribute Listener will tell you information about the attribute itself.

http://java.sun.com/j2ee/sdk_1.3/techdocs/api/javax/servlet/http/HttpSessionAttributeListener.html
or

This will better inform you of when the attribute was added, removed, or in your case, you believe was changed.


example:

import javax.servlet.http.HttpSession;
import javax.servlet.http.HttpSessionAttributeListener;
import javax.servlet.http.HttpSessionBindingEvent;

public class SessionAttribListen implements HttpSessionAttributeListener {


-- There are many code examples for this on the Web and the Sun Java Tutorial. That should point you in the right direction.

Tony
Sun Certified Web Business Component Developer
Sun Certified Web Components Developer
Sun Certified Programmer for the Java 2 Platform


Tony McClay<br />Architect / Developer, SOA and Jave Enterprise Edition 1-5<br />---------------------------------------------------------------------- <br />Sun Certified Enterprise Architect, Enterprise Edition 5 (Step 1 of 3)<br />Sun Certified Web Component Developer, Enterprise Edition 4<br />Sun Certified Business Component Developer Enterprise Edition 5<br />Sun Certified Programmer , Standard Edition 5.0
Sushma Sharma
Ranch Hand

Joined: Jun 02, 2005
Posts: 139
Tony,

thanks for the reply. even though, I knew about Listeners very well, it never occured to me that I should add a sessionAttributeListener as I was focused on other things more.
Also, do you know anything about siteminder? Acually, I get the uer id as a header from siteminder server and there is a proxy server also. is it possible that one of those is caching or giving me wrong uid.
I am printing the user header now, but haven't heard from the user having trouble, so thinking of all possible reasons.
Tony McClay
Ranch Hand

Joined: May 22, 2003
Posts: 33
sorry never used siteminder server yet. But you are right. It does sound like a place to look.

Sounds like you are well on your well to solving your problem.

Best of luck.

Tony
Sun Certified Web Business Component Developer
Sun Certified Web Components Developer
Sun Certified Programmer for the Java 2 Platform
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: HttpSessions getting mixed up
 
Similar Threads
Tomcat: dual requests to same action result in missing session data
Confused on http session..
Serlvet Execution problem
Doubt in an Object instance while using evict() method
Test duplication on db with exception...am I on the right track?