12 Replies Latest reply on Jan 22, 2011 7:30 PM by rouvas

    Sessions in Tomcat

    glammy

      Hello.
      I'm currently running a web-application under Tomcat 5.5. but some strange stuff is happening with the sessions - they are sometimes mixed (i.e. a user sees pages from other users' accounts while browsing).

      Is this an http sessions problem of tomcat, that will probably be solved if I "migrate" to JBoss, or something I should try fixing in my code.

        • 1. Re: Sessions in Tomcat
          j2ee_junkie

          Glammy,

          With the exception of supporting Single Sign On sessions, JBoss does not affect how Tomcat handles HTTPSessions. AFAIK.

          I have never seen this behavior before, and would trust that Tomcat's session management has been fully tested. I would look at your application first. Verify session ID's during odd behavior.

          I am not completely sure I understand what you mean by

          sees pages from other user's accounts

          Do you mean that if user A requests to see page 1 and user B requests to see page 2, user A is receiving page 2?

          cgriffith

          • 2. Re: Sessions in Tomcat
            richard.qin

            which client browser do you use?

            • 3. Re: Sessions in Tomcat
              glammy

              Yes, if user A request to see page 1, and user B requests page 2, page 1 is served to user B, and when I out.println()-ed the session id - user B gets the session ID of user A.

              A Friend of mine told me that this mihgt occur becuse of network-caching issues. Luckily I'm currently using a test server, so I will change it soon.

              • 4. Re: Sessions in Tomcat
                glammy

                @Richard: Some of the users use IE, others - FF. Some even use Opera.
                If you think the browser might affect this behaviour, I will keep track on the browsers used.

                • 5. Re: Sessions in Tomcat
                  j2ee_junkie

                  Glammy,

                  When user A logs in, note session ID. Then when user B logs in note session ID. Finally, check session ID again after user A requests page 1 and user B requests page 2. Also, if possible, check the cookie values in each users browser at same points.

                  It may be helpful (although time consuming) to create a Filter and out put request info on the way in and response info on the way out of your application. Info could be IP addresses, and cookies, session ID's, and Princpal names.

                  Make sure your tomcat server is configured to use session cookies in server.xml (the default value is true).

                  Are you in a clustered environment?

                  Are you using single sign on?

                  strange..., cgriffith

                  • 6. Re: Sessions in Tomcat
                    glammy

                    No, I'm not in a clustered environement, and I don't use Signle Sign On.

                    It is strange, indeed.

                    I've put an out.println(session.getId()) in my footer.jsp, and told my users to monitor the values. The result was: when user A sees pages from user B's account, the session ID also changes. (I.e. he is currently identified as the other user). I'll now output the IP address, so that things get clearer, but if it is a network-cache problem, then I'm to be calm :)

                    • 7. Re: Sessions in Tomcat
                      varkon

                      I am having the same problem, using JBoss 4.0.5 Did you find a solution to this?

                      • 8. Re: Sessions in Tomcat
                        slevy

                        When you do your tests, do you log the 2 users from the same machine ?
                        Have you tried to use 2 different machine to see if the problem still occurs ?
                        Could be a IE problem (feature ?) with sessions when starting 2 IE instances on a same machine.

                        • 9. Re: Sessions in Tomcat
                          varkon

                          No, I am using different machines and different browsers. It does not matter which browser is used.

                          • 10. Re: Sessions in Tomcat
                            alabastida

                            Im having this same issue in a production enviroment using a single JBoss AS 4.0.2 no cluster and an Apacvhe 2.2 frontend.

                             

                            This only get noticed if 2 (or more i guess) users sends the same transaction at the same time.

                             

                            User B gets charged the amount of what user A wanted to buy, and user A gets user's B payment confirmation and user B get's a controlled error saying their card transaction could not be processed at the time, to try again.

                             

                            This is getting very exhausting, any comments on this kind of behavior? Thanks!

                            • 11. Sessions in Tomcat
                              himanshu17287

                              It is better ... u use Fillter in ur web application .... check the session in the fillter class  when ever url is changed  fillter  will be call..

                               

                              if session is null tranfer the page on to login page of user ..or where u  want to transfer the page....

                              • 12. Sessions in Tomcat
                                rouvas

                                Get rid of any and all class variables in your servlet classes. Especially static ones.