*
The moose likes Servlets and the fly likes session swapping - the burning issue Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Servlets
Bookmark "session swapping - the burning issue " Watch "session swapping - the burning issue " New topic
Author

session swapping - the burning issue

chaitanya kiranpvn
Greenhorn

Joined: Jun 28, 2009
Posts: 8
hi,

we are facing the user session swapping issue .we are storing the user's session using setAttribute() . we are facing the users 's JSession id is swapped and users balances are also swapped.

here is the scinerio first user A is login to the application and he has some balance amout as $100 then user B is login and he has $150 in his balance but the user b's interface it shows $100 and the Jsession id is same for the userA and userB.

we are using the weblogic 10.3 server and apahe balance.please let me know is there any environment settings in weblogic.

Thanks
Chaitanya

Seetharaman Venkatasamy
Ranch Hand

Joined: Jan 28, 2008
Posts: 5575

how you are identifying the user(session) before setting the value in it ?
Paul Sturrock
Bartender

Joined: Apr 14, 2004
Posts: 10336


and the Jsession id is same for the userA and userB.

That doesn't sound right. The session id is tied to the browser instance used to make the request - I'm assuming you are login in on the same browser and perhaps not properly invalidating the session on log out?


JavaRanch FAQ HowToAskQuestionsOnJavaRanch
chaitanya kiranpvn
Greenhorn

Joined: Jun 28, 2009
Posts: 8
hi,

we are using like this HttpSession session=request.getSession(true) then use the session.setAttribute() .

thanks
chaitanya
Paul Sturrock
Bartender

Joined: Apr 14, 2004
Posts: 10336

OK, so assuming you have two seperate requests comming from two differerent browser instances, or one browser instance where you have invalidated the session after the first request, the JSessionid should not be the same. Is this the case?
chaitanya kiranpvn
Greenhorn

Joined: Jun 28, 2009
Posts: 8
Hi,

we are using two seperate requests comming from two differerent browser instances.
one user is still in the session and the another user also getting the same session(JSessionId). but it happens rarely. is this because of proxy server or weblogic server problem.

thanks
chaitanya
Seetharaman Venkatasamy
Ranch Hand

Joined: Jan 28, 2008
Posts: 5575

chaitanya kiranpvn wrote:
we are using two seperate requests comming from two differerent browser instances.


example,you mean one is from IE and another is from mozilla? well, this is on same machine or different machine ?
Paul Sturrock
Bartender

Joined: Apr 14, 2004
Posts: 10336

chaitanya kiranpvn wrote:Hi,

we are using two seperate requests comming from two differerent browser instances.
one user is still in the session and the another user also getting the same session(JSessionId). but it happens rarely. is this because of proxy server or weblogic server problem.

thanks
chaitanya


Can you tell us more about your infrastructure? Ending up with the same jsessionid from two different browsers is not normal behaviour. You say you have a proxy server? What is is doing? Is it load balancing? Does it preserve the session id passed fomr the browser?
William Brogden
Author and all-around good cowpoke
Rancher

Joined: Mar 22, 2000
Posts: 12761
    
    5
we are facing the users 's JSession id is swapped and users balances are also swapped.


I would be willing to bet that somewhere in your code there is improper use of one or more instance variables.

Bill
chaitanya kiranpvn
Greenhorn

Joined: Jun 28, 2009
Posts: 8
hi,


we are usign the apache for load balancing and we are not preserving the session details in apache.

thanks
chaitanya
Paul Sturrock
Bartender

Joined: Apr 14, 2004
Posts: 10336

I suspect William is probably correct. That aside is could possibly be something to do with your load balancing configuration. By "Apache" I assume you mean you are usign Apache HTTP Server and its software-based load balancing? Are you using sticky sessions or session replication?
chaitanya kiranpvn
Greenhorn

Joined: Jun 28, 2009
Posts: 8
hi,

we don't have any entry regarding sesion replication in weblogic.xml and we are usign only sesion.setAttribute() to store the session.

thanks
chaitanya
Paul Sturrock
Bartender

Joined: Apr 14, 2004
Posts: 10336


and we are usign only sesion.setAttribute() to store the session.

What do you mean by this? Why do you have to maintain the session yourself? The servlet container will do this for you. Or am I missunderstanding what you are saying?
chaitanya kiranpvn
Greenhorn

Joined: Jun 28, 2009
Posts: 8

hi,

Actually if the user login to the application then filter is called in that filter we are using
HttpSession session=request.getSesion(true); here only sesion is created. i mentioned the session.setAttribute() is for setting the session values.

thanks
chaitanya
Paul Sturrock
Bartender

Joined: Apr 14, 2004
Posts: 10336

Can you post you filter's doFilter() method?
chaitanya kiranpvn
Greenhorn

Joined: Jun 28, 2009
Posts: 8
hi,

we are using like this in our filter.


thanks
chaitanya
Paul Sturrock
Bartender

Joined: Apr 14, 2004
Posts: 10336

What does your business logic do? Can we see that?
binayakumar patel
Greenhorn

Joined: Jun 26, 2009
Posts: 27
Hi chaitanya,

Generally this never happen, because when there is a new login , we use to create a new HttpSession and set the value in that.
You need to debug the code properly. I think the object which you are using to get the value is returning the same value,
Please try with userA, UserB and UserC if the value is same for all these case then... there is the problem with the object from which
you are getting the value.

when you are creating the session after successful login,
try to use this code...

Mike Giddens
Greenhorn

Joined: Aug 12, 2009
Posts: 2
As Bill alluded to, this really sounds like there may be static variables in play.
raj jawa
Greenhorn

Joined: Jan 24, 2013
Posts: 1
Was this resolved ?
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: session swapping - the burning issue
 
Similar Threads
Session Validation Filter
Urgent:Weblogic 8.1 session replication issues in clustered environment
Issues in redirect
JSESSION and taking User Info
webapp authorization