File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes JSP and the fly likes Sometimes users see other's secure data over ssl on jsp struts and glassfish Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » JSP
Bookmark "Sometimes users see other Watch "Sometimes users see other New topic

Sometimes users see other's secure data over ssl on jsp struts and glassfish

Amir AliSe

Joined: Dec 30, 2010
Posts: 2

I am working in a very secure banking environment, where data privacy is the highest concern. I am facing a very critical issue. After every few days we get a complain from our customers that when they logged in they saw statement of another person. This problem is only temporary and it shows them their correct statement once they refresh the page. I have tried many things to resolve this problem, and have also recreated the application from scratch but I'm still unable to resolve the issue.

- I have also disabled any cache through:

response.setHeader("Cache-Control", "no-cache,must-revalidate"); //HTTP 1.1
response.setHeader("Pragma", "no-cache"); //HTTP 1.0
response.setDateHeader("Expires", -1); //prevents caching at the proxy server


Is anyone else facing the same issue or has ever faced this issue? if so then what is the solution? In my latest research I found that I am not exclusively flushing out the buffer by out.flush(). Can this be a issue? I always assume jsp has auto flush because of which I never used out.flush() exclusively.

Also, to add that when the users see the junk statements of another user and do a view source on the browser then the content of the html and what is being displayed is totally different.

This matter is urgent and any of your ideas would be helpful for me.

- JSP 2.1
- Struts 2.1.8
- Glasshfish v3
- Using HTTPS

Amir Ali
William Brogden
Author and all-around good cowpoke

Joined: Mar 22, 2000
Posts: 13036
The usual cause is that somewhere there are instance variables used inside an object which is shared by all requests, for client specific data.

IF this was my problem I would first be looking at the servlet code compiled from JSP pages, since JSP code may be hard to interpret.

Bear Bibeault
Author and ninkuma

Joined: Jan 10, 2002
Posts: 63852

Do you have instance variables in your servlets?
Do you have Java code in your JSPs?
Did you use a mapping such as *.html for you servlet mappings?

All of these can cause such problems.

[Asking smart questions] [About Bear] [Books by Bear]
Amir AliSe

Joined: Dec 30, 2010
Posts: 2
1. I am using RMI calls to retrieve data from the database. This problem exists even when I was not using RMI calls.

Yes I have Java code in my jsp. This is where I am calling my Interface from RMI Server and creating the statement table. It is to be noted that the page where the user see other's statement is not the page where statement is coded i.e. Other users never see other's statements on the page where statement is coded and should be shown. It looks like a crash situation with a trimed down dump of other user's statement.

Here is the source code of the statement code which is shown to other users on other pages on crash situation which is not reproducible.

2. My Servlets are only being used for displaying the jsp and there is no code written in them as the main business logic is written in RMI Server who's interface i get in the jsp page.

3. I don't have any mappings like *.html or *.jsp

Are there any more do's and dont's that I should look into?

Amir Ali
I agree. Here's the link:
subject: Sometimes users see other's secure data over ssl on jsp struts and glassfish
It's not a secret anymore!