session collusion problem
vavilala akumar
Greenhorn
Posts: 8
posted 8 years ago
I am getting session collusion problem , if I open my application on two
IE6 browsers in the same system, after some time , I am getting
values which are not applicable for that session , but will be
applicable for the session present on other browser.
Please help, What could be the problem?
scenario: In our Application for one user we have given rights to create the record, and for another user to update the record.User is opening two browsers one with create rights(userid X) and another with update rights(userid Y) in the same system, then he is going to create the record but in data base it showing created by as Y, but it should be X.It seems second browsers session is coming in the first browser.
Thanks and Regards
Arun Kumar
IE6 browsers in the same system, after some time , I am getting
values which are not applicable for that session , but will be
applicable for the session present on other browser.
Please help, What could be the problem?
scenario: In our Application for one user we have given rights to create the record, and for another user to update the record.User is opening two browsers one with create rights(userid X) and another with update rights(userid Y) in the same system, then he is going to create the record but in data base it showing created by as Y, but it should be X.It seems second browsers session is coming in the first browser.
Thanks and Regards
Arun Kumar
ujjwal soni
Ranch Hand
Posts: 405
posted 8 years ago
Hi,
Are you using same session variable for both create & update as like
for creating : HttpSession s=request.getSession().setAttribute("DEMO", rs);
for updating : HttpSession s=request.getSession().setAttribute("DEMO", rs);
If yes then you should do this
for creating : HttpSession s=request.getSession().setAttribute("CREATE", rs);
for updating : HttpSession s=request.getSession().setAttribute("UPDATE", rs);
If no then why dont you use query string variables ?
Are you using same session variable for both create & update as like
for creating : HttpSession s=request.getSession().setAttribute("DEMO", rs);
for updating : HttpSession s=request.getSession().setAttribute("DEMO", rs);
If yes then you should do this
for creating : HttpSession s=request.getSession().setAttribute("CREATE", rs);
for updating : HttpSession s=request.getSession().setAttribute("UPDATE", rs);
If no then why dont you use query string variables ?
Cheers!!!
Ujjwal B Soni <baroda, gujarat, india> <+918866008962>
"Helping hands are better than praying lips......"
posted 8 years ago
Session attributes are not thread safe . I guess, hence this behaviour.. you got use synchronize block where you set and get session attributes.
William Brogden
Author and all-around good cowpoke
Rancher
Rancher
Posts: 13078
6
posted 8 years ago
My first reaction is that you probably are using instance variables to hold user values. This problem is exactly what we see in such cases as instance variables are shared between all requests.
Bill
am getting
values which are not pplicable for that session , but will be
applicable for the session present on other browser.
My first reaction is that you probably are using instance variables to hold user values. This problem is exactly what we see in such cases as instance variables are shared between all requests.
Bill
vavilala akumar
Greenhorn
Posts: 8
posted 8 years ago
Hi,
There is some misunderstanding.
Ours is enterprise application.There are near about 2000 users are using our application in intranet.There are some users who can have create rights , but they dont have approve rights(As per business needs).The person who has approve rights they can only approve that record (called maker and checker condition).
Scenario:
For some users for their convieniance purpose , they took the approved id and passworod. And they open two browsers with created id , and Approved id in same system then he is creating the record but in database created by is showing Approved id , which is in another browser id.
Note : It iscoming only in production,not simulating in developement Environment.
Please suggest
There is some misunderstanding.
Ours is enterprise application.There are near about 2000 users are using our application in intranet.There are some users who can have create rights , but they dont have approve rights(As per business needs).The person who has approve rights they can only approve that record (called maker and checker condition).
Scenario:
For some users for their convieniance purpose , they took the approved id and passworod. And they open two browsers with created id , and Approved id in same system then he is creating the record but in database created by is showing Approved id , which is in another browser id.
Note : It iscoming only in production,not simulating in developement Environment.
Please suggest
Jan de Ruiter
Greenhorn
Posts: 12
posted 8 years ago
As Bear Bibeault already mentioned:
>The two browser instances are sharing the same cookies and therefore the same session
This sharing of the same session is causing your problem, and synchronising on it will not help.
Each user should have its own unique session.
So you should try to avoid the two users using the same cookie.
Perhaps by disabling cookies?
>The two browser instances are sharing the same cookies and therefore the same session
This sharing of the same session is causing your problem, and synchronising on it will not help.
Each user should have its own unique session.
So you should try to avoid the two users using the same cookie.
Perhaps by disabling cookies?
Bauke Scholtz
Ranch Hand
Posts: 2458
posted 8 years ago
Cookie-based session management is done on a per-instance basis. This is especially troublesome when using Internet Explorer since (squeaky Steve Ballmer voice) "IE is an Integral part of Windows". So even if you've got copies of IE6 and IE7, expect some bleed-over.
Note I said per-instance and NOT per-user! Cookies aren't tied to a user ID, they're placed in a common cookie jar (not the same jar as Firefox uses, though).
I'll be willing to bet this is yet another case of DIY security where you have to log on a 2 separate users to get things done. And it's biting you, because 2 users are both binding to the same session handle (cookie).
If this isn't on my (long) list of why it's better to use container-based security instead of rolling your own, it should be. One of the things that the standard JEE security model is based on is the idea that business processes are tied to roles. If you want to (temporarily or permanently) give the ability to perform a function to someone, you secure it to a named security role, then add that role to the user's list of allowable roles. You don't have to sign off and back on again or sign on as 2 different users simultaneously. You sign in once, and that's all. If you want' to open additional browser windows, and the app knows enough to allow for it, that's fine. Each window will also be subject to those same security constraints.
Note I said per-instance and NOT per-user! Cookies aren't tied to a user ID, they're placed in a common cookie jar (not the same jar as Firefox uses, though).
I'll be willing to bet this is yet another case of DIY security where you have to log on a 2 separate users to get things done. And it's biting you, because 2 users are both binding to the same session handle (cookie).
If this isn't on my (long) list of why it's better to use container-based security instead of rolling your own, it should be. One of the things that the standard JEE security model is based on is the idea that business processes are tied to roles. If you want to (temporarily or permanently) give the ability to perform a function to someone, you secure it to a named security role, then add that role to the user's list of allowable roles. You don't have to sign off and back on again or sign on as 2 different users simultaneously. You sign in once, and that's all. If you want' to open additional browser windows, and the app knows enough to allow for it, that's fine. Each window will also be subject to those same security constraints.
An IDE is no substitute for an Intelligent Developer.
vavilala akumar
Greenhorn
Posts: 8
posted 8 years ago
I cant use query string url. and it is not related to any security issue also.
When i login in to my application, we are placing userid in session in controller.java file
Code :
session = request.getSession(true);
if (request.getParameter("strUserName") != null )
{
session.setAttribute("username", request.getParameter("strUserName"));
}
After that where ever we need, we are getting the username from seesion and using that.
This problem is coming , when i open two browsers in th same system, the first userid(i mean the browser which i open first) is replaced by second browser useid.
Is there any solution , please suggest?
I cant use query string url. and it is not related to any security issue also.
When i login in to my application, we are placing userid in session in controller.java file
Code :
session = request.getSession(true);
if (request.getParameter("strUserName") != null )
{
session.setAttribute("username", request.getParameter("strUserName"));
}
After that where ever we need, we are getting the username from seesion and using that.
This problem is coming , when i open two browsers in th same system, the first userid(i mean the browser which i open first) is replaced by second browser useid.
Is there any solution , please suggest?
ryan sukale
Ranch Hand
Posts: 53
posted 8 years ago
Hi vavilala
In your initial post you mentioned that you are trying to open in two IE6 browsers. I think, that might be the problem.
What you might be doing is opening two different IE6 windows. But since both are windows of the same application i.e. IE6, they will share the same session information. In your case, it will be the latest user who logged in.
I suggest that you log in user x using IE6, and log in user Y using mozilla or some other browser application. Since they are different browser applications, they will not share the same session information, hence, both users will be separately be logged into the system.
Let us know if this helps.
Happy Programming ;)
In your initial post you mentioned that you are trying to open in two IE6 browsers. I think, that might be the problem.
What you might be doing is opening two different IE6 windows. But since both are windows of the same application i.e. IE6, they will share the same session information. In your case, it will be the latest user who logged in.
I suggest that you log in user x using IE6, and log in user Y using mozilla or some other browser application. Since they are different browser applications, they will not share the same session information, hence, both users will be separately be logged into the system.
Let us know if this helps.
Happy Programming ;)
SCJP 5.0, SCWCD 5.0, SCBCD 5.0
vavilala akumar
Greenhorn
Posts: 8
posted 8 years ago
Hi Ryan,
Our application will work in IE only.And we cant tell the users that while opening two browsers of the same application, open with different browsers. It cant be possible. Normally users using the same bowsers for all the applications.
And one more thing , the same i am doing in my developement Env.
I am also using IE6, and opening two browsers and doing the same thing what users are doing , but i am not facing the problem.
What might causing the problem ?
Our application will work in IE only.And we cant tell the users that while opening two browsers of the same application, open with different browsers. It cant be possible. Normally users using the same bowsers for all the applications.
And one more thing , the same i am doing in my developement Env.
I am also using IE6, and opening two browsers and doing the same thing what users are doing , but i am not facing the problem.
What might causing the problem ?
| With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime. |