JSession ID issue

Hi,

I have a web applicationwith many Hyper liks. Links that appear on the home page of the user are role based. Say i have 2 roles, Manager and Non Manager.

First, the user with the Manager role logs in and a JSession id is assigned to that user.
Next I login with the Non Manager role. Now i capture the JSession ID of the manager and replace it for Non Manager user.

As a result of this, the Non Manager user is able to view the links that are supposed to be displayed only for the Manager user.

Can any one help on on how this can be fixed ?

Regards
Santhosh

You should always check userRole when displaying link for any user. You can create custom tag to implement this functionality.
You should be maintaining logged in user information (user role as well) in session and when user logs out , clear the user details from the session and invalidates the session.

Here the session id of both the users are active. Both the users have not logged out.

Non Manager user is trying to manipulate using the JSession id of the Manager user.

Regards
Santhosh

Santhosh ayiappan wrote:Here the session id of both the users are active. Both the users have not logged out.

Non Manager user is trying to manipulate using the JSession id of the Manager user.

Regards
Santhosh

How can one user log in without another user logging out of application?
This is only possible if you are explicitly taking user to login screen. If this is the case, your logged in user information in session should get replaced with the recently logged in user. What is the issue here?