Re: getSession() thread-safe? User A can see user B's account

[Len Popp <le...@gmail.com>]

On 7/21/06, Christopher Schultz <ch...@christopherschultz.net> wrote:
> Dave,
>
> > I am using JSF (apache faces). The way to get Session or
> > HttpServletRequest from a backing bean is through FacesContext.
> > Backing beans are not servlet, so can not access HttpServletRequest
> > directly.
> >
> > After synchronizing the method, I still got the same problem.
>
> Synchronization is not the problem: the lack of any identifying piece of
> information is the problem. You have to have a way to identify which
> user you are working with in order to get the session.
>
> >     public static HttpSession getHttpSession(boolean create) {
> >     FacesContext context = FacesContext.getCurrentInstance();
> >     return (HttpSession)context.getExternalContext().getSession(create);
> >   }
>
> There is no information about the user, here. How does
> FacesContext.getSession know which session to get?!
>
> > It is in production stage and users are starting to use it. I am very
> > nervous.
>
> You certainly cannot think about going live with such a bad bug. What is
> the product?
>
> -chris
>

According to the JSF documentation, FacesContext.getCurrentInstance
and ExternalContext.getSession are supposed to return information
about the current request, i.e. "the request that is being processed
by the current thread". I haven't used JSF myself so I can't say if
there's a problem getting the session that way, but it looks correct
at first glance.

References:
http://java.sun.com/javaee/javaserverfaces/1.0/docs/api/javax/faces/context/FacesContext.html
http://java.sun.com/javaee/javaserverfaces/1.0/docs/api/javax/faces/context/ExternalContext.html
-- 
Len

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org