6 Replies Latest reply on Aug 6, 2009 4:27 PM by pdhaigh

Session scoped variable leaking to application

pdhaigh Sep 12, 2008 3:24 PM

I have run into a rather surprising (to me) behaviour.. I have a session scoped variable, which by my understanding should only be visible to the current user (i.e. browser session).

However, the variable on occassion becomes visible to another session (different browser, different client machine).

The set up is this:

Authenticator

@Stateless
@Name("authenticator")
public class Authenticator implements AuthenticatorI
{
    
    @In @Out
    Identity identity;
    
    @Out(scope=ScopeType.SESSION, required=false) 
    private User currentUser;    
    
    @In
    EntityManager entityManager;    
    
    public boolean authenticate()
    {
        try
        {
             currentUser = (User) entityManager.createQuery(
                    "from User where username = :username ")
                    .setParameter("username", identity.getUsername())
                    .getSingleResult();

             identity.addRole(currentUser.getRole());

                 if (currentUser.getPassword().equalsIgnoreCase(identity.getPassword())) return true;
                 else
                 {                      
                     Events.instance().raiseEvent("invalidLoginPassword", "Incorrect password");
                     return false;                  
                 }                  
        }
        catch (NoResultException ex)
        {
             Events.instance().raiseEvent("invalidLoginUsername", "Invalid username");
                return false;                  
        }           
        catch (Exception ex)
        {
             Events.instance().raiseEvent("invalidLogin", "Login failure");
             return false;
        }
    } 
    
    public String logout()
    {
         identity.logout();
         return "loggedOut";
    }
}

JSF page

<ui:define name="content">
     <h:outputText value="id: #{currentUser.id}"/> <!-- This is for debugging this problem -->
     <h:panelGroup rendered="#{!identity.loggedIn}">
          <h2>please login below</h2>
          <h:messages showDetail="false" styleClass="messages" warnClass="warn" errorClass="error" layout="table"/>
          <h:form>

               <h:panelGrid columns="2" columnClasses="p">
                    <h:outputText value="email: "/>
                    <h:inputText label="email" value="#{identity.username}"/>
                    <h:outputText value="password: "/>
                    <h:inputSecret label="password" value="#{identity.password}"/>
               </h:panelGrid>

               <h:commandButton styleClass="button" action="#{identity.login}" value="Login" />

          </h:form>          
     </h:panelGroup>          
     <h:panelGroup rendered="#{identity.loggedIn}">
          <h2>Hi #{currentUser.participant.firstname}</h2>          
     </h:panelGroup>
</ui:define>

Sometimes, and only sometimes, after a log in on one machine, going to the JSF page in question on another machine will display the current user ID of the user logged in on the other machine..

Is this expected behaviour??

1. Re: Session scoped variable leaking to application

pdhaigh Sep 12, 2008 4:40 PM (in response to pdhaigh)

I think I've worked this out... it's actually that the authenticator is outjecting the currentUser each time (without having it INjected), which if a subsequent login fails, has not been overwriten, and so outjects the last log in.

apologies :)

Incidentally, an edit or delete option for existing posts on here would be good ;-)
Actions
2. Re: Session scoped variable leaking to application

nico Mar 9, 2009 2:55 PM (in response to pdhaigh)

Hi Phil,

I solved a similar problem, that I have in fact experienced on many occasions and seemingly always involving the Stateless AuthenticatorAction which I presume just about all Seam users use. I was able to re-produce the error I experienced only after a failed login, just like in your case, so thanks for your post.

What I still don't understand though, and this is after reading and re-reading the relevant Seam documentation, is conceptually how a Session variable can possibly somehow be shared between Sessions. I now know the workaround or fix but still don't understand.

I hear you when you say above that the currentUser has not been overwritten above, but that in itself makes no sense to me since the bean is Stateless and what you are saying means that it is maintaining state.

Perhaps I need a Java / EJB refresher course due to misunderstood fundamentals.

Cheers,
Nico
Actions
3. Re: Session scoped variable leaking to application

nico Mar 9, 2009 4:02 PM (in response to pdhaigh)

Still trying to get to the bottom of this. It seems https://jira.jboss.org/jira/browse/JBSEAM-3295 might be related to this problem but I'm not sure as the comms between Seam devs does not make sense to me.

I'm using Seam 2.0.1GA and have started looking for whether this is a bug in Seam rather than me being clueless.
Actions
4. Re: Session scoped variable leaking to application

pdhaigh Mar 9, 2009 6:46 PM (in response to pdhaigh)

Hi Nico,

I think it must be at very least be a 'feature'. The state replicating over different sessions is extremely odd. However, it's pretty easy to work around, simply by setting the currentUser to null before each login attempt, or injecting it..

cheers,

phil
Actions
5. Re: Session scoped variable leaking to application

nico Mar 9, 2009 7:52 PM (in response to pdhaigh)

Thanks for the reply Phil.

If anybody else out there has any feedback or input I'd much appreciate it. Have already implemented the workaround but think its important to get to the nuts and bolts of it.
Actions
6. Re: Session scoped variable leaking to application

pdhaigh Aug 6, 2009 4:27 PM (in response to pdhaigh)

Hi,

Do any of the Seam luminaries want to shed some light on this?

I'm sure it has potential for some pretty shocking security issues..

cheers

phil
Actions

Go to original post