PDA

View Full Version : session object behaves like application (scope)


alanyap
05-04-2010, 06:50 AM
I have a huge problem here where all user session (in their respective machine) are treated as a singular session. And it persist to all other client machines that access the webapp. In short,it behaves like an application scoped object.

My case:

- webapp (using Resin 3.0) deployed to server (Windows Server 2008)
- computers in the lab accesses it via http://machine-ip:8080/newapp
- user logs in using their respective account
- the jsp engine only "remembers" one single user session (latest).

In the lab, scenario of what had happened:

1) user A logs in our webapp using computer A successfully using his user ID/password. his browser display "welcome user A".
2) user B logs in using computer B successfuly, his browser display "welcome user B".
3) Now user A has lost his session, overwritten by user B's. When he clicked on refresh on the browser, it displays "welcome user A" instead.
4) Even without logging in , the session "persist" to all the networked machines there. loading "http://machine-ip:8080/newapp" directly from other computers there, will display "welcome user A". (very "fatal" security breach there)

The problem doesn't happen in the actual server where the webapp is deployed:- http://localhost:8080/newapp. All the sessions created by user logins in multiple browser instances are unique.

There is an annoying problem that I wonder might be related to the problem above:

1) main page detects not logged in, display login form
2) user logs in successfully, redirectly to the same main page
3) instead of displaying "welcome user" and hiding the login form, it serves the previous page (cached, displaying the form). I need to refresh the browser once to get intended "welcome user" page.

My codes:

in jsp page:

<jsp:useBean id="USER" scope="session" class="newapp.user"></jsp:useBean>

in newapp/user.java

package newapp;

import java.util.*;
import javax.servlet.*;
import javax.servlet.http.*;

public class user implements java.io.Serializable

{


public String ID=null;
public int TYPE=0;
public int STATUS=0;

public String NAME=null;

public boolean ISLOGGED=false'

public Hashtable SETTING = new Hashtable();

public void set(String NEW_NAME,int NEW_TYPE)
{
NAME=NEW_NAME;
TYPE=NEW_TYPE;

ISLOGGED=true;

}

public void logOut()
{
NAME=null;
TYPE=0;
ISLOGGED=false;
}

}


I'm don't even know where to start debugging. Any idea? I suspect my resin.conf configuration is improperly done (which I didn't tweak anything except adding in the webapp entry). Since I'm developing the webapp for intranet use, do I need to configure the ip inside resin.conf too?

emil
05-05-2010, 09:25 PM
Hi,

Looks like it could have been a bug in that version of Resin. Resin 3.0 is extremely old at this point and should be used only for legacy applications/deployments. If you're developing a new application, please try Resin 3.1 or 4.0. If you're stuck with Resin 3.0 because of some external requirement, you could just try setting the user in the session directly without the jsp:useBean tag.

Best,
Emil