With the exception of supporting Single Sign On sessions, JBoss does not affect how Tomcat handles HTTPSessions. AFAIK.
I have never seen this behavior before, and would trust that Tomcat's session management has been fully tested. I would look at your application first. Verify session ID's during odd behavior.
I am not completely sure I understand what you mean by
sees pages from other user's accounts
Do you mean that if user A requests to see page 1 and user B requests to see page 2, user A is receiving page 2?
which client browser do you use?
Yes, if user A request to see page 1, and user B requests page 2, page 1 is served to user B, and when I out.println()-ed the session id - user B gets the session ID of user A.
A Friend of mine told me that this mihgt occur becuse of network-caching issues. Luckily I'm currently using a test server, so I will change it soon.
@Richard: Some of the users use IE, others - FF. Some even use Opera.
If you think the browser might affect this behaviour, I will keep track on the browsers used.
When user A logs in, note session ID. Then when user B logs in note session ID. Finally, check session ID again after user A requests page 1 and user B requests page 2. Also, if possible, check the cookie values in each users browser at same points.
It may be helpful (although time consuming) to create a Filter and out put request info on the way in and response info on the way out of your application. Info could be IP addresses, and cookies, session ID's, and Princpal names.
Make sure your tomcat server is configured to use session cookies in server.xml (the default value is true).
Are you in a clustered environment?
Are you using single sign on?
No, I'm not in a clustered environement, and I don't use Signle Sign On.
It is strange, indeed.
I've put an out.println(session.getId()) in my footer.jsp, and told my users to monitor the values. The result was: when user A sees pages from user B's account, the session ID also changes. (I.e. he is currently identified as the other user). I'll now output the IP address, so that things get clearer, but if it is a network-cache problem, then I'm to be calm :)
I am having the same problem, using JBoss 4.0.5 Did you find a solution to this?
When you do your tests, do you log the 2 users from the same machine ?
Have you tried to use 2 different machine to see if the problem still occurs ?
Could be a IE problem (feature ?) with sessions when starting 2 IE instances on a same machine.
No, I am using different machines and different browsers. It does not matter which browser is used.
Im having this same issue in a production enviroment using a single JBoss AS 4.0.2 no cluster and an Apacvhe 2.2 frontend.
This only get noticed if 2 (or more i guess) users sends the same transaction at the same time.
User B gets charged the amount of what user A wanted to buy, and user A gets user's B payment confirmation and user B get's a controlled error saying their card transaction could not be processed at the time, to try again.
This is getting very exhausting, any comments on this kind of behavior? Thanks!
It is better ... u use Fillter in ur web application .... check the session in the fillter class when ever url is changed fillter will be call..
if session is null tranfer the page on to login page of user ..or where u want to transfer the page....
Get rid of any and all class variables in your servlet classes. Especially static ones.