tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: Tomcat 4.x (Major Problem)
Date Mon, 22 Jan 2007 22:08:19 GMT
Hash: SHA1


Andy Moller wrote:
> String commonName = (String)session.getAttribute("commonName");
> String[] value1 = (request.getParameterValues("value_1") != null)
>        ? request.getParameterValues("value_1")
>        : new String[0];
> String[] value2 =
>    (request.getParameterValues("value_2") != null)
>        ? request.getParameterValues("value_2")
>        : new String[0];


>                query=
>                    "insert into sample_table(id,val1,common_name,val2)"
>                        + " values (sequence.nextVal,"
>                        + singleVal1
>                        + ",'"
>                        + commonName
>                        + "','"
>                        + val2[j]
>                        + "')";

A few notes:

1. You are using the array "val2" here instead of "value2". Is that
intentional? Or, were you somewhat obfuscating your code for publication
on the list?

2. You really should be using PreparedStatements instead of string
concatenation for parameter replacement.

3. These is no evidence that "commonName" ever had the value that you
expected. Your initial claim was that the value was being taken from the
session and, between that time and the issue of the SQL query, the value
was being changed.

So... what's going on here? During the processing of this request, can
you ever see session.getAttribute("commonName") returning the correct
value? Or, has the session really been polluted somehow, or have you
really "swtiched" sessions somehow?

> Where the value "nameB" is the "commonName" session attribute value from
> a different session.

Is there any relationship whatsoever between the session you should have
and the session that you are apparently getting? Are you /sure/ that
there is another session containing that value, or are you assuming that
since it's not the expected value that you must be looking at another

Is your entire application written in JSP? I'm wondering if you ever try
to manage sessions yourself in any way.

Try this: create an HttpSesssionBindingListener and implement the
valueBound method like this:

public void valueBound(HttpSessionBindingEvent esbe)
        System.out.println("Setting session["
          + esbe.getSession().getId()
          + "].commonName="
          + esbe.getValue());
        new Throwable().printStackTrace(System.out);

This will put a full stack trace into stdout whenever the value of
commonName for a session is changed. I'm assuming that you have a test
plan that is reproducing this error in development, so you can watch the
logs as you move through your application.

Login and watch the logs. You can see when a value is poked into the
session, and what that value is. If you see that the value is changing
in your session (and it shouldn't be), then you'll see the stack trace
of the code that's doing it.

You can install this listener using a <listener> element in your web.xml
like this:


This goes after any <filter> and <filter-mapping> elements and before
any <servlet> elements.

- -chris
Version: GnuPG v1.4.6 (MingW32)
Comment: Using GnuPG with Mozilla -


To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message