tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: getSession() thread-safe? User A can see user B's account
Date Fri, 21 Jul 2006 12:42:57 GMT

> Current symptom is: a user info gets into another user's session. So
> sometimes User A can see User B's info.
> The way to get session:  is it thread-safe?
> public static HttpSession getHttpSession(boolean create) { 
> FacesContext context = FacesContext.getCurrentInstance(); return
> (HttpSession)context.getExternalContext().getSession(create); }

A static getHttpSession method is almost sure to cause problems. Why are
you not using HttpServletRequest.getSession? This method accepts no
information from the caller that identifies the user trying to get their
session. How do you identify users or sessions? Where is the session id?


View raw message