We have a portal (uportal) running on Tomcat. We have programmed a couple of of Portlets that for the most part run just fine.
A few of these portlets are grabbing data from an Oracle DB and presenting it to our users -- this info is grabbed based upon a user id. Every once in a while (1 in 10,000 logins perhaps?) we get reports of users getting the data of different users, when we do get this report it seems to be from 2 or 3 different users at about the same time. We've looked through backups of the DB to see if info is written wrong and what it looks like some sort of session-data bleeding. (our portlets don't have any static variables that could accidentally be shared)
Has anyone ever heard of Tomcat accidentally giving one user's session data to a different user? How would I begin to look at this? I'm not sure how to view/record individual session data.
Are you using Struts, by any chance? It's real easy to make that mistake in Struts. I inherited an application that was so rife with stuff like that that its only salvation was the fact that only rarely was more than one user online at a time.
Loudly announcing something is true and finding out you're wrong makes you feel foolish.
Finding out you're wrong and refusing to admit it makes you LOOK foolish.