other session visible

[Aron Kramlik <ar...@itouch.com.au>]

Hi,

We have been running TC 3.1/3.2/3.2.1 for the past year and a bit and we
have seen
twice a very strange problem which is now of concern as our product goes
live to the
public more and more.

While filling in a registration form from screen to screen and saving the
data in beans
the user gets to the last page (confirm details) and all the details are for
a different user
(i.e. different session which was registered before, not on the same
computer and
probably not active anymore).

I know this is very vague but are there any suggestions that people might
have that
could cause this problem.  Obviously this is very serious from an
application point
of view and not necessarily a TC problem.

Thanks in advance,
Aron Kramlik.

Re: other session visible

[Mark Howell <ma...@nullcraft.org>]

In general, not specific to tomcat, it appears to me that you might be
updating, say, a session-scoped object in one location, and an
application-scoped object elsewhere.  That might explain how data from one
session becomes visible to another.  Consider this example:

User A logs on, creates an object named 'foo' and puts it inadvertently into
the application context.  This is where the mistake happens, as it should have
been session scope.

User B then logs on.  When user B attempts to create an object named 'foo' and
place it in the session scope (what should be happenning), this process
fails.  Hence, for user B, there is no session-scoped object named 'foo'.

User B attempts to display object 'foo'.  When user B uses (either directly or
indirectly) pageContext.findAttribute('foo'), all of the various scopes are
searched until an object named 'foo' is found.  This is executed in the order:
page, request, session, application.  Hence, user A's version of 'foo' will
only be made available to user B when B's setAttribute() method call fails.  

Yes, I'm one of those sick people that likes to speculate and hypothesize alot
when presented with vague questions.

-Mark Howell
mark at nullcraft.org

Aron Kramlik wrote:
> 
> Hi,
> 
> We have been running TC 3.1/3.2/3.2.1 for the past year and a bit and we
> have seen
> twice a very strange problem which is now of concern as our product goes
> live to the
> public more and more.
> 
> While filling in a registration form from screen to screen and saving the
> data in beans
> the user gets to the last page (confirm details) and all the details are for
> a different user
> (i.e. different session which was registered before, not on the same
> computer and
> probably not active anymore).
> 
> I know this is very vague but are there any suggestions that people might
> have that
> could cause this problem.  Obviously this is very serious from an
> application point
> of view and not necessarily a TC problem.
> 
> Thanks in advance,
> Aron Kramlik.