Sometimes users see other's secure data over ssl on jsp struts and glassfish
Joined: Dec 30, 2010
I am working in a very secure banking environment, where data privacy is the highest concern. I am facing a very critical issue. After every few days we get a complain from our customers that when they logged in they saw statement of another person. This problem is only temporary and it shows them their correct statement once they refresh the page. I have tried many things to resolve this problem, and have also recreated the application from scratch but I'm still unable to resolve the issue.
- I have also disabled any cache through:
response.setHeader("Cache-Control", "no-cache,must-revalidate"); //HTTP 1.1
response.setHeader("Pragma", "no-cache"); //HTTP 1.0
response.setDateHeader("Expires", -1); //prevents caching at the proxy server
Is anyone else facing the same issue or has ever faced this issue? if so then what is the solution? In my latest research I found that I am not exclusively flushing out the buffer by out.flush(). Can this be a issue? I always assume jsp has auto flush because of which I never used out.flush() exclusively.
Also, to add that when the users see the junk statements of another user and do a view source on the browser then the content of the html and what is being displayed is totally different.
This matter is urgent and any of your ideas would be helpful for me.
1. I am using RMI calls to retrieve data from the database. This problem exists even when I was not using RMI calls.
Yes I have Java code in my jsp. This is where I am calling my Interface from RMI Server and creating the statement table. It is to be noted that the page where the user see other's statement is not the page where statement is coded i.e. Other users never see other's statements on the page where statement is coded and should be shown. It looks like a crash situation with a trimed down dump of other user's statement.
Here is the source code of the statement code which is shown to other users on other pages on crash situation which is not reproducible.
2. My Servlets are only being used for displaying the jsp and there is no code written in them as the main business logic is written in RMI Server who's interface i get in the jsp page.
3. I don't have any mappings like *.html or *.jsp
Are there any more do's and dont's that I should look into?