Topic
  • 3 replies
  • Latest Post - ‏2012-12-05T14:05:20Z by bpaskin
SystemAdmin
SystemAdmin
37421 Posts

Pinned topic Session Crossover in my web app - WAS 8.5 Express

‏2012-12-03T13:45:17Z |
Dear Friends,
I have a web app deployed on WAS 8.5 behind TAM WebSEAL 6.1
The problem is when userX login to the system and left the page till he expired and userY enters the system, the welcome page for userY open with userX data

This issue rarely happened (once every 3-4 months)

I attached the code of my centralized Action class
I'm using JavaEE 2.3, Java 5.0 and struts 1.1

I think the problem may be in the way I access the objects over many threads and sessions
Updated on 2012-12-05T14:05:20Z at 2012-12-05T14:05:20Z by bpaskin
  • bpaskin
    bpaskin
    5478 Posts

    Re: Session Crossover in my web app - WAS 8.5 Express

    ‏2012-12-04T14:31:29Z  
    Hi,

    There are a few things that need to be investigated.

    1. Do user X and Y have the same cookie name?
    2. Does the Session from user X really get invalidated?
    3. Is WebSEAL caching some information and basing the user on that cached information?

    You say this is happening in WASv8.5 Express, but the code was written several years ago. What App Server were you using then and was the problem the same?

    Regards,
    Brian
  • SystemAdmin
    SystemAdmin
    37421 Posts

    Re: Session Crossover in my web app - WAS 8.5 Express

    ‏2012-12-05T13:50:32Z  
    • bpaskin
    • ‏2012-12-04T14:31:29Z
    Hi,

    There are a few things that need to be investigated.

    1. Do user X and Y have the same cookie name?
    2. Does the Session from user X really get invalidated?
    3. Is WebSEAL caching some information and basing the user on that cached information?

    You say this is happening in WASv8.5 Express, but the code was written several years ago. What App Server were you using then and was the problem the same?

    Regards,
    Brian
    1- I don't know if user X and user Y has the same cookie name or not, but they have two different session ID

    2- I didn't check that, but the timeout setting has been reached
    but you are true...I didn't make sure by using session.isValid()

    3- WebSEAL just send to me the userid in a request header called "iv-user" but how I know if it cach some information ?
  • bpaskin
    bpaskin
    5478 Posts

    Re: Session Crossover in my web app - WAS 8.5 Express

    ‏2012-12-05T14:05:20Z  
    1- I don't know if user X and user Y has the same cookie name or not, but they have two different session ID

    2- I didn't check that, but the timeout setting has been reached
    but you are true...I didn't make sure by using session.isValid()

    3- WebSEAL just send to me the userid in a request header called "iv-user" but how I know if it cach some information ?
    Hi, Please make sure that HTTPSession.invalidate() is being called. You can either use an HttpSessionListener to print out information when the session is created and invalidated or you can use some diagnostic tracing: com.ibm.ws.session.*=all:com.ibm.ws.webcontainer.srt.*=all . Are you using Clustering and any type of memory replication (memory-to-memory, memory-to-db)? Also when the data is presented, is that data actually stored in the HTTPSession or somewhere else?

    Regards,
    Brian