session collusion problem

I am getting session collusion problem , if I open my application on two
IE6 browsers in the same system, after some time , I am getting
values which are not applicable for that session , but will be
applicable for the session present on other browser.

Please help, What could be the problem?

scenario: In our Application for one user we have given rights to create the record, and for another user to update the record.User is opening two browsers one with create rights(userid X) and another with update rights(userid Y) in the same system, then he is going to create the record but in data base it showing created by as Y, but it should be X.It seems second browsers session is coming in the first browser.

Thanks and Regards
Arun Kumar

Hi,

Are you using same session variable for both create & update as like

for creating : HttpSession s=request.getSession().setAttribute("DEMO", rs);

for updating : HttpSession s=request.getSession().setAttribute("DEMO", rs);

If yes then you should do this

for creating : HttpSession s=request.getSession().setAttribute("CREATE", rs);

for updating : HttpSession s=request.getSession().setAttribute("UPDATE", rs);

If no then why dont you use query string variables ?

Session attributes are not thread safe . I guess, hence this behaviour.. you got use synchronize block where you set and get session attributes.

am getting
values which are not pplicable for that session , but will be
applicable for the session present on other browser.

My first reaction is that you probably are using instance variables to hold user values. This problem is exactly what we see in such cases as instance variables are shared between all requests.

Bill

Hi,

There is some misunderstanding.

Ours is enterprise application.There are near about 2000 users are using our application in intranet.There are some users who can have create rights , but they dont have approve rights(As per business needs).The person who has approve rights they can only approve that record (called maker and checker condition).

Scenario:
For some users for their convieniance purpose , they took the approved id and passworod. And they open two browsers with created id , and Approved id in same system then he is creating the record but in database created by is showing Approved id , which is in another browser id.

Note : It iscoming only in production,not simulating in developement Environment.

Please suggest

The two browser instances are sharing the same cookies and therefore the same session.

As Balu and Bear mentioned,try to synchronize the session . else use Database Check

Hi,

Use external table validation.

As Bear Bibeault already mentioned:
>The two browser instances are sharing the same cookies and therefore the same session
This sharing of the same session is causing your problem, and synchronising on it will not help.
Each user should have its own unique session.
So you should try to avoid the two users using the same cookie.
Perhaps by disabling cookies?

This does not represent a real world scenario. I wouldn't worry about it. Two different users are to be tested with two separate browser instances. Easiest way is to use two different webbrowsers for this (e.g. Firefox and Opera).

Cookie-based session management is done on a per-instance basis. This is especially troublesome when using Internet Explorer since (squeaky Steve Ballmer voice) "IE is an Integral part of Windows". So even if you've got copies of IE6 and IE7, expect some bleed-over.

Note I said per-instance and NOT per-user! Cookies aren't tied to a user ID, they're placed in a common cookie jar (not the same jar as Firefox uses, though).

I'll be willing to bet this is yet another case of DIY security where you have to log on a 2 separate users to get things done. And it's biting you, because 2 users are both binding to the same session handle (cookie).

If this isn't on my (long) list of why it's better to use container-based security instead of rolling your own, it should be. One of the things that the standard JEE security model is based on is the idea that business processes are tied to roles. If you want to (temporarily or permanently) give the ability to perform a function to someone, you secure it to a named security role, then add that role to the user's list of allowable roles. You don't have to sign off and back on again or sign on as 2 different users simultaneously. You sign in once, and that's all. If you want' to open additional browser windows, and the app knows enough to allow for it, that's fine. Each window will also be subject to those same security constraints.

I cant use query string url. and it is not related to any security issue also.

When i login in to my application, we are placing userid in session in controller.java file

Code :

session = request.getSession(true);

if (request.getParameter("strUserName") != null )
{
session.setAttribute("username", request.getParameter("strUserName"));
}

After that where ever we need, we are getting the username from seesion and using that.

This problem is coming , when i open two browsers in th same system, the first userid(i mean the browser which i open first) is replaced by second browser useid.

Is there any solution , please suggest?

Hi vavilala
In your initial post you mentioned that you are trying to open in two IE6 browsers. I think, that might be the problem.
What you might be doing is opening two different IE6 windows. But since both are windows of the same application i.e. IE6, they will share the same session information. In your case, it will be the latest user who logged in.

I suggest that you log in user x using IE6, and log in user Y using mozilla or some other browser application. Since they are different browser applications, they will not share the same session information, hence, both users will be separately be logged into the system.

Let us know if this helps.
Happy Programming ;)

Hi Ryan,

Our application will work in IE only.And we cant tell the users that while opening two browsers of the same application, open with different browsers. It cant be possible. Normally users using the same bowsers for all the applications.

And one more thing , the same i am doing in my developement Env.
I am also using IE6, and opening two browsers and doing the same thing what users are doing , but i am not facing the problem.

What might causing the problem ?