tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Martin Gainty" <>
Subject Re: getSession() thread-safe? User A can see user B's account
Date Fri, 21 Jul 2006 15:06:31 GMT
YS proposed a fix which will specifically fix the ThreadCleaner
Martin --
This email message and any files transmitted with it contain confidential
information intended only for the person(s) to whom this email message is
addressed.  If you have received this email message in error, please notify
the sender immediately by telephone or email and destroy the original
message without making a copy.  Thank you.

----- Original Message ----- 
From: "Peter Crowther" <>
To: "Tomcat Users List" <>
Sent: Friday, July 21, 2006 10:37 AM
Subject: RE: getSession() thread-safe? User A can see user B's account

> From: Christopher Schultz [] 
> Dave,
> > It is very strange. I do not understand how a User object in Session
> > A gets into Session B. It seems that after a session is expired or
> > invalidated, that session is attached to another user's request.
> I think what's going on is that you have a global session, instead of
> individual sessions. User A is not seeing User B's session: 
> everyone is
> seeing the /same/ session.

I'm going to take a different guess:

- Tomcat reuses session objects rather than allocating a new one each

- You're seeing an artifact of this re-use: an expired session object
has been re-used for a new session.

- Peter

To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message