6 Replies Latest reply on Aug 6, 2009 4:27 PM by Phil Haigh

    Session scoped variable leaking to application

    Phil Haigh Novice

      I have run into a rather surprising (to me) behaviour.. I have a session scoped variable, which by my understanding should only be visible to the current user (i.e. browser session).

      However, the variable on occassion becomes visible to another session (different browser, different client machine).

      The set up is this:


      public class Authenticator implements AuthenticatorI
          @In @Out
          Identity identity;
          @Out(scope=ScopeType.SESSION, required=false) 
          private User currentUser;    
          EntityManager entityManager;    
          public boolean authenticate()
                   currentUser = (User) entityManager.createQuery(
                          "from User where username = :username ")
                          .setParameter("username", identity.getUsername())
                       if (currentUser.getPassword().equalsIgnoreCase(identity.getPassword())) return true;
                           Events.instance().raiseEvent("invalidLoginPassword", "Incorrect password");
                           return false;                  
              catch (NoResultException ex)
                   Events.instance().raiseEvent("invalidLoginUsername", "Invalid username");
                      return false;                  
              catch (Exception ex)
                   Events.instance().raiseEvent("invalidLogin", "Login failure");
                   return false;
          public String logout()
               return "loggedOut";

      JSF page

      <ui:define name="content">
           <h:outputText value="id: #{currentUser.id}"/> <!-- This is for debugging this problem -->
           <h:panelGroup rendered="#{!identity.loggedIn}">
                <h2>please login below</h2>
                <h:messages showDetail="false" styleClass="messages" warnClass="warn" errorClass="error" layout="table"/>
                     <h:panelGrid columns="2" columnClasses="p">
                          <h:outputText value="email: "/>
                          <h:inputText label="email" value="#{identity.username}"/>
                          <h:outputText value="password: "/>
                          <h:inputSecret label="password" value="#{identity.password}"/>
                     <h:commandButton styleClass="button" action="#{identity.login}" value="Login" />
           <h:panelGroup rendered="#{identity.loggedIn}">
                <h2>Hi #{currentUser.participant.firstname}</h2>          

      Sometimes, and only sometimes, after a log in on one machine, going to the JSF page in question on another machine will display the current user ID of the user logged in on the other machine..

      Is this expected behaviour??