Re: Tomcat session with uncertain problem

Mon, 11 Nov 2013 05:33:35 -0800

With this code, you're not *creating* a session, you're retrieving the session that the user has connected with (request.getSession()). Usually this king issue occurs when the variable "session" is stored with an inappropriate scope, so that it is accessible from more than one class instance. 


On 11/11/2013 8:24 AM, Jose Irrazabal wrote:

Thanks for the answer, then it can be when generating the session?

I use a servlet to create the session with the code:
               *HttpSession session = request.getSession ();*
Then I add the attributes:
              *session.setAttribute ("idUser" p_iduser);*
*             session.setAttribute ("username", p_username);*
*             session.setAttribute ("idrol" p_idrol);*
And redirected to the page "principal.jsp" :
             *response.sendRedirect ("principal.jsp");*
On page "principal.jsp", recovery attributes for display:
      *session = request.getSession (false);*
*     Id_user String = (String) session.getAttribute ("idUser");*
*     String username = (String) session.getAttribute ("username");*
*     Idrol String = (String) session.getAttribute ("idrol");*

This is where the problem occurred, a user session captured the other user
sesion,  may then this used procedure is bad?

thanks


2013/11/11 Mark Thomas <ma...@apache.org>


On 11/11/2013 11:54, Jose Irrazabal wrote:

Hi All,

I use Apache Tomcat/7.0.29 to deploy my applications, and I'm with a
problem of duplicated user session or something, as uncertain occurs

when a

user adquire a session takes of another user and I reported 3 cases of

this

type of security error.


Exactly what problem do you observe?


I need your help to know how the JSESSIONID is generated because I

suspect

that the error is when generated the session. Exemplo: *JSESSIONID*:
5DC89FC25D2CEC391A0EC1D3F07F0941


It is generated from a SecureRandom. That is not going to be the source
of the problem you are seeing.

Mark


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org







---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org























					Reply via email to