RE: getSession() thread-safe? User A can see user B's account

[Dhananjay Prasanna]

A session is specific to a user-cookie, there is no way they can get crossed unless the cookies get crossed or somehow the sessions can interact with each other (say with the use of a static or threadlocal object). Plus you defeat the purpose of the framework by working directly with the session in JSF, you should be using session-scoped managed beans instead.   This certainly sounds like you are doing something “evil” with the session—the following code should never be in a user-level construct. At best it can be in some kind of API wrapper/hack to JSF.   From: Dave [mailto:[EMAIL PROTECTED] Sent: Friday, 21 July 2006 10:29 AM To: users@myfaces.apache.org Subject: getSession() thread-safe? User A can see user B's account   Is the following method thread-safe?  After authenticated, a user info is put into session,  when logout, call session.invalidate();   The way to get session:  is it thread-safe?     public static HttpSession getHttpSession(boolean create) {     FacesContext context = FacesContext.getCurrentInstance();     return (HttpSession)context.getExternalContext().getSession(create);   }   Current symptom is: a user info gets into another user's session. So sometimes User A can see User B's info.   If a user clicks two buttons at the same time(two requests belong to one same session), will it be thread-safe?   Thanks for help.   Do you Yahoo!? Next-gen email? Have it all with the all-new Yahoo! Mail Beta. This correspondence is for the named persons only. It may contain confidential or privileged information or both. No confidentiality or privilege is waived or lost by any mis transmission. If you receive this correspondence in error please delete it from your system immediately and notify the sender. You must not disclose, copy or relay on any part of this correspondence, if you are not the intended recipient. Any opinions expressed in this message are those of the individual sender except where the sender expressly, and with the authority, states them to be the opinions of the Department of Emergency Services, Queensland.