tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Timothy Collett <>
Subject Re: getSession() thread-safe? User A can see user B's account
Date Fri, 21 Jul 2006 12:21:41 GMT
On Jul 20, 2006, at 8:36 PM, Dave wrote:

> Is the following method thread-safe?
>   I use my own way for authentication. After authenticated, a user  
> info is put into session,  when logout, call session.invalidate();
>     Current symptom is: a user info gets into another user's  
> session. So sometimes User A can see User B's info.

Actually, I'm seeing something very similar, and it's a good thing my  
webapp is only in testing, or it would, indeed, be causing problems...

I've got custom User and UserSession classes for tracking users in  
general and logged-in users, respectively.  For the moment, the main  
symptoms of the problem are that the username field and the test/live  
data field are getting munged between users somehow.  I've tried to  
trace it, and haven't been able to determine the mechanism by which  
it happens.  It's also somewhat disturbing that it's just those two  
fields, and none of the rest of them.

I'll try and take another look, recreate my last experiments with the  
problem, and come back with some more detailed information.

Timothy Collett


Chaos reigns within.
Reflect, repent, and reboot.
Order shall return.

To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message