• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Tim Cooke
  • paul wheaton
  • Jeanne Boyarsky
  • Ron McLeod
Sheriffs:
  • Paul Clapham
  • Liutauras Vilda
  • Devaka Cooray
Saloon Keepers:
  • Tim Holloway
  • Roland Mueller
Bartenders:

session collusion problem

 
Greenhorn
Posts: 8
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I am getting session collusion problem , if I open my application on two
IE6 browsers in the same system, after some time , I am getting
values which are not applicable for that session , but will be
applicable for the session present on other browser.

Please help, What could be the problem?

scenario: In our Application for one user we have given rights to create the record, and for another user to update the record.User is opening two browsers one with create rights(userid X) and another with update rights(userid Y) in the same system, then he is going to create the record but in data base it showing created by as Y, but it should be X.It seems second browsers session is coming in the first browser.

Thanks and Regards
Arun Kumar
 
Ranch Hand
Posts: 405
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,

Are you using same session variable for both create & update as like

for creating : HttpSession s=request.getSession().setAttribute("DEMO", rs);

for updating : HttpSession s=request.getSession().setAttribute("DEMO", rs);

If yes then you should do this

for creating : HttpSession s=request.getSession().setAttribute("CREATE", rs);

for updating : HttpSession s=request.getSession().setAttribute("UPDATE", rs);

If no then why dont you use query string variables ?





 
Ranch Hand
Posts: 874
Android VI Editor Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Session attributes are not thread safe . I guess, hence this behaviour.. you got use synchronize block where you set and get session attributes.
 
Author and all-around good cowpoke
Posts: 13078
6
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

am getting
values which are not pplicable for that session , but will be
applicable for the session present on other browser.



My first reaction is that you probably are using instance variables to hold user values. This problem is exactly what we see in such cases as instance variables are shared between all requests.

Bill
 
vavilala akumar
Greenhorn
Posts: 8
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,

There is some misunderstanding.

Ours is enterprise application.There are near about 2000 users are using our application in intranet.There are some users who can have create rights , but they dont have approve rights(As per business needs).The person who has approve rights they can only approve that record (called maker and checker condition).

Scenario:
For some users for their convieniance purpose , they took the approved id and passworod. And they open two browsers with created id , and Approved id in same system then he is creating the record but in database created by is showing Approved id , which is in another browser id.

Note : It iscoming only in production,not simulating in developement Environment.

Please suggest
 
Sheriff
Posts: 67753
173
Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
The two browser instances are sharing the same cookies and therefore the same session.
 
Ranch Hand
Posts: 5575
Eclipse IDE Windows XP Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
As Balu and Bear mentioned,try to synchronize the session . else use Database Check
 
Ranch Hand
Posts: 40
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,

Use external table validation.

 
Greenhorn
Posts: 12
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
As Bear Bibeault already mentioned:
>The two browser instances are sharing the same cookies and therefore the same session
This sharing of the same session is causing your problem, and synchronising on it will not help.
Each user should have its own unique session.
So you should try to avoid the two users using the same cookie.
Perhaps by disabling cookies?
 
Ranch Hand
Posts: 2458
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
This does not represent a real world scenario. I wouldn't worry about it. Two different users are to be tested with two separate browser instances. Easiest way is to use two different webbrowsers for this (e.g. Firefox and Opera).
 
Saloon Keeper
Posts: 28492
210
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Cookie-based session management is done on a per-instance basis. This is especially troublesome when using Internet Explorer since (squeaky Steve Ballmer voice) "IE is an Integral part of Windows". So even if you've got copies of IE6 and IE7, expect some bleed-over.

Note I said per-instance and NOT per-user! Cookies aren't tied to a user ID, they're placed in a common cookie jar (not the same jar as Firefox uses, though).

I'll be willing to bet this is yet another case of DIY security where you have to log on a 2 separate users to get things done. And it's biting you, because 2 users are both binding to the same session handle (cookie).

If this isn't on my (long) list of why it's better to use container-based security instead of rolling your own, it should be. One of the things that the standard JEE security model is based on is the idea that business processes are tied to roles. If you want to (temporarily or permanently) give the ability to perform a function to someone, you secure it to a named security role, then add that role to the user's list of allowable roles. You don't have to sign off and back on again or sign on as 2 different users simultaneously. You sign in once, and that's all. If you want' to open additional browser windows, and the app knows enough to allow for it, that's fine. Each window will also be subject to those same security constraints.
 
vavilala akumar
Greenhorn
Posts: 8
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

I cant use query string url. and it is not related to any security issue also.

When i login in to my application, we are placing userid in session in controller.java file

Code :

session = request.getSession(true);

if (request.getParameter("strUserName") != null )
{
session.setAttribute("username", request.getParameter("strUserName"));
}

After that where ever we need, we are getting the username from seesion and using that.

This problem is coming , when i open two browsers in th same system, the first userid(i mean the browser which i open first) is replaced by second browser useid.

Is there any solution , please suggest?

 
Ranch Hand
Posts: 53
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi vavilala
In your initial post you mentioned that you are trying to open in two IE6 browsers. I think, that might be the problem.
What you might be doing is opening two different IE6 windows. But since both are windows of the same application i.e. IE6, they will share the same session information. In your case, it will be the latest user who logged in.

I suggest that you log in user x using IE6, and log in user Y using mozilla or some other browser application. Since they are different browser applications, they will not share the same session information, hence, both users will be separately be logged into the system.

Let us know if this helps.
Happy Programming ;)
 
vavilala akumar
Greenhorn
Posts: 8
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Ryan,

Our application will work in IE only.And we cant tell the users that while opening two browsers of the same application, open with different browsers. It cant be possible. Normally users using the same bowsers for all the applications.

And one more thing , the same i am doing in my developement Env.
I am also using IE6, and opening two browsers and doing the same thing what users are doing , but i am not facing the problem.

What might causing the problem ?
 
Mo-om! You're embarassing me! Can you just read a tiny ad like a normal person?
Smokeless wood heat with a rocket mass heater
https://woodheat.net
reply
    Bookmark Topic Watch Topic
  • New Topic