users@glassfish.java.net

HTTP Session crossing between users (for the lack of a better way to put it)

From: <forums_at_java.net>
Date: Wed, 13 Apr 2011 09:00:01 -0500 (CDT)

 Hi

We use Glassfish v2.1. We've had a wiered problem recenetly reported. User A
has complained that they saw a page that showed details of User B. The data
shown on the page in question is dynamic and we query it based on user
information on the session. I've been through the code and that defenetely
gets the data from the session and nothing to do with request parameters. I
could see this happening, if User B had the same sessionID as User A, but I'm
sure that can't happen. We don't use stick-sessions from our load balancer so
a user gets pinned to one node in the cluster once accessed.

User B hasn't been on User A's machine as well. So I can't see a way where
the machine would have a cookie for User B. Other than User A having a
sessionID that is same as User B. Can this ever happen? To my knowledge it
can't. Would like to hear from any one if there are any possibilities at all.
Thanks!!

Cheers
-- Imran
 

 


--
[Message sent by forum member 'imranbohoran']
View Post: http://forums.java.net/node/791266