I'm assuming the servlet is run by a different Session than the logged in user. Something like an Admin Servlet right?
If so, there are several ways to handle this.
1) have the user refresh from your data store on each request
2) create an HttpSessionBindingListener and place it in the ServletContext as each User is created, get the sessionId and place it in a map. The servlet can then get the map and refresh the user. If a user is unbound, remove it from the map.
Basicly when the user logs on, his or her details are stored in the "User" bean. This details come from the database and stored in this bean which is available to the user for the scope of the session.
Every request the user makes uses this bean to check what products the user can view. This bean is created when the user logs in. The only way to refresh it is to log out the user.
If this user's profile is updated, the change is made to the database. If the user is still logged on, the bean in his session will still contain the old profile information.
I am trying to refresh or destroy all User beans on all sessions if a user 's profile is updated. This will force the beans to be re-created with the updated information.
Hope that made it clearer. [ May 24, 2006: Message edited by: O. Ziggy ]
Pusing invalidation message to all session variables would be difficult to achieve, but you can have some kind of check in your user bean which checks for last update date in your web application either the database or some variable in application wide context.