On Mon, 23 Aug 2010 01:56:31 -0700 (PDT), Yawar Khan <khanya...@yahoo.com>
wrote:
> Felix, the issue still persists, i dont know what else to do? and i dont
> know
> why this issue is popping up on linux enviroment only. under windows
there
> is no
> session mixup issue.
Well, you have fixed one problem in your code, but maybe there are more
lurking inside your other classes. We haven't seen the code for
"passwordservices.getInstance().encrypt(password)" for example.
"connectionmanager.scgm_conn()" seems to be your own implementation as
well. You should look at all your classes and look for scope mistakes.
Always think about what could happen, if this particular code block would
be visited by two different requests at the same time.
If I remember correctly you had problems getting your source code to linux
because of case sensitivity. Are the code bases for linux and windows the
same now, or do they differ with respect to case and package and class
names? If so, you should try to get the source code to linux without
loosing case sensitivity.
To help you further, we need more infos.
Bye
Felix
>
> Now this are no class wide variables and i had moved them inside the
login
> function.
>
>
>
>
>
>
> ________________________________
> From: Felix Schumacher <felix.schumac...@internetallee.de>
> To: Tomcat Users List <users@tomcat.apache.org>
> Sent: Sat, August 21, 2010 6:07:18 PM
> Subject: Re: Sessions mix-up on Tomcat 6.0.26 on Linux
>
>
>
>
> "Yawar Khan" <khanya...@yahoo.com> schrieb:
>
>>thanks felix, very nicely explained!
>>
>>but do you think that declaring connection and rs variables outside the
>>login
>>function is causing the sessions mixup issue?
>>
>>
> Yes. But I think it is not messing with sessions, but rather messing
with
> the
> values of your user beans.
>
> Hth
> Felix
>>
>>
>>
>>________________________________
>>From: Felix Schumacher <felix.schumac...@internetallee.de>
>>To: Tomcat Users List <users@tomcat.apache.org>
>>Sent: Sat, August 21, 2010 4:13:52 PM
>>Subject: RE: Sessions mix-up on Tomcat 6.0.26 on Linux
>>
>>Am Freitag, den 20.08.2010, 21:54 -0700 schrieb Yawar Khan:
>>> Chris, you identified a possible sql injection in my code and
declaring
>>> it a
>>> very bad piece of code. Despite the fact that jdbc does not allow more
>>> than 1
>
>>> query on this execute function and I am doing fields validation before
>>> submission of the form.
>>>
>>>
>>> Is there another genuine threat or bug that you identified and would
>>> like to
>>> share? Please do, I am sharing the udac source code as well,
>>>
>>>
>>> Wesley you comments are also welcome; somebody also asked that what
>>> will happen
>>>
>>>
>>> in case udac.login throws an exception, well exception handling is
>>> inside this
>>
>>
>>> class. Sorry but i missed that email so i am unable to name that
>>> gentleman
>>> friend.
>>>
>>> package org.mcb.services;
>>>
>>> import java.text.*;
>>> import java.util.*;
>>> import java.sql.*;
>>> import javax.servlet.http.HttpSession;
>>>
>>> public class udac
>>> {
>>> static Connection currentCon = null;
>>> static ResultSet rs = null;
>>This seems to be really problematic. Having ResultSet and Connection
>>shared by many users is a bad idea.
>>
>>Imagine what happens when two requests come in at the same time:
>>
>> Request A Request B
>>
>> login(beanA)
>> |
>> currentCon=new Connection()
>> | login(beanB)
>> | |
>> | currentCon=new Connection() # BOOM you are
>>overwriting the class wide variable currentCon.
>>
>>Same thing can happen to rs too. So better place currentCon and rs as
>>method variables inside of login.
>>
>>>
>>> public static userbean login(userbean bean) {
>>> //preparing some objects for connection
>>> Statement stmt = null;
>>> String userid = bean.getUserId();
>>> String password = bean.getPassword();
>>> String epass = null;
>>> String name = null;
>>> String user_id = null;
>>> String role_id = null;
>>> String branch_code = null;
>>> String last_login = null;
>>> String role_desc = null;
>>> try{
>>> epass =
>>>passwordservices.getInstance().encrypt(password);
>>> //passwordservices is a class which has functions to
>>>ecrypt a
>>> string and return back the string.
>>> }catch(Exception e){
>>> System.out.println(e);
>>I find it very useful to use a logging framework for reporting errors.
>>And adding information about the state in which the error occured might
>>help finding the root cause more easily.
>>
>>> }
>>> String searchQuery = "SELECT a.USER_ID,a.NAME,
>>>a.BRANCH_CODE,
>>> a.PASSWORD, a.LAST_LOGIN_DATE, a.ROLE_ID, b.ROLE_DESC FROM
>>> LOGIN_INFORMATION a,
>>>
>>>
>>> ROLES b WHERE a.ACTIVE = 'A' AND a.ROLE_ID = b.ROLE_ID ";
>>> searchQuery = searchQuery + "AND LOWER(a.USER_ID) =
>>>LOWER('"+ userid
>>>
>>>
>>> + "') AND a.PASSWORD = '"+epass+"'";
>>If your are using prepared Statements with parameters, you don't have to
>>worry, if someone has forgotten to check those parameters for
>>sql-injection. But you were told so already.
>>
>>Bye
>>Felix
>>
>>> try{
>>> //connect to DB: connectionmanager is a class which
>>>contains
>>> connection functions
>>> currentCon = connectionmanager.scgm_conn();
>>>
>>> stmt=currentCon.createStatement();
>>> rs = stmt.executeQuery(searchQuery);
>>> boolean hasdata=false;
>>> while(rs.next()) {
>>> hasdata=true;
>>> name = rs.getString("NAME");
>>> user_id = rs.getString("USER_ID");
>>> branch_code = rs.getString("BRANCH_CODE");
>>> role_id = rs.getString("ROLE_ID");
>>> last_login = rs.getString("LAST_LOGIN_DATE");
>>> role_desc = rs.getString("ROLE_DESC");
>>> bean.setName(name);
>>> bean.setUserId(user_id);
>>> bean.setBranch(branch_code);
>>> bean.setRole(role_id);
>>> bean.setLastLogin(last_login);
>>> bean.setRoleDesc(role_desc);
>>> bean.setValid(true);
>>> }
>>> if(!hasdata) {
>>> System.out.println("Sorry, you are not a registered
>>>user!
>>> Please sign up first "+ searchQuery);
>>> bean.setValid(false);
>>> }
>>> }catch (Exception ex){
>>> System.out.println("Log In failed: An Exception has
>>>occurred! " +
>>
>>
>>> ex);
>>> }
>>> //some exception handling
>>> finally{
>>> if (rs != null) {
>>> try {
>>> rs.close();
>>> } catch (Exception e) {}
>>> rs = null;
>>> }
>>>
>>> if (stmt != null) {
>>> try {
>>> stmt.close();
>>> } catch (Exception e) {}
>>> stmt = null;
>>> }
>>>
>>> if (currentCon != null) {
>>> try {
>>> currentCon.close();
>>> } catch (Exception e) {
>>> }
>>>
>>> currentCon = null;
>>> }
>>> }
>>> return bean;
>>>
>>> }
>>> }
>>>
>>> ysk
>>> -----Original Message-----
>>> From: Christopher Schultz [mailto:ch...@christopherschultz.net]
>>> Sent: Friday, August 20, 2010 3:43 AM
>>> To: Tomcat Users List
>>> Subject: Re: Sessions mix-up on Tomcat 6.0.26 on Linux
>>>
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> Wesley,
>>>
>>> On 8/19/2010 5:04 PM, Wesley Acheson wrote:
>>> > Maybe its just be but I still don't see where uadc is declared or
even
>>> > imported.
>>>
>>> ...or even used.
>>>
>>> I'm guessing that the bad code exists outside of this login servlet.
>>>
>>> - -chris
>>> -----BEGIN PGP SIGNATURE-----
>>> Version: GnuPG v1.4.10 (MingW32)
>>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>>>
>>> iEYEARECAAYFAkxts1YACgkQ9CaO5/Lv0PBitwCeMXvEXLi1L9rnLmTVP4nofIGH
>>> NkAAnj9DTqFLwLAYxb2MQuI6v6ckVcYm
>>> =DR0I
>>> -----END PGP SIGNATURE-----
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>>
>>>
>>>
>>
>>
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>>For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
