Hi Chris, I am using JSF (apache faces). The way to get Session or HttpServletRequest from a backing bean is through FacesContext. Backing beans are not servlet, so can not access HttpServletRequest directly. After synchronizing the method, I still got the same problem. It is in production stage and users are starting to use it. I am very nerveous. Thanks! Dave
Christopher Schultz <[EMAIL PROTECTED]> wrote: DAve, > Current symptom is: a user info gets into another user's session. So > sometimes User A can see User B's info. > > The way to get session: is it thread-safe? > > public static HttpSession getHttpSession(boolean create) { > FacesContext context = FacesContext.getCurrentInstance(); return > (HttpSession)context.getExternalContext().getSession(create); } A static getHttpSession method is almost sure to cause problems. Why are you not using HttpServletRequest.getSession? This method accepts no information from the caller that identifies the user trying to get their session. How do you identify users or sessions? Where is the session id? -chris --------------------------------- Yahoo! Music Unlimited - Access over 1 million songs.Try it free.