#1
  1. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2005
    Posts
    38
    Rep Power
    14

    Data being shared across users!!! Please Help!!


    Hello,

    I have developed a website whose navigation is managed by a servlet i.e. all request are posted to the servlet which in turn routes the requests accordingly. Today, during testing, I logged in into the system. Meanwhile, while my friend tried to log in on another machine [not networked] and saw that it was showing as already logged in. On further examination, it appeared as if I was logged in on his machine. What could be the problem? Why is my session information[from user_id and user_info] being made available to him? I would really be grateful for any help


    Here is the code:

    Code:
    public final class SwitchboardServlet extends HttpServlet {
    
    	/**
    	 * @see javax.servlet.GenericServlet#void ()
    	 */
    
    	private final String CLASS_NAME = "SwitchboardServlet";
    
    	private static final long serialVersionUID = 1L;
    
    	private int userID;
    
    	private String userAction;
    
    	private String userSubaction;
    
    	private boolean userIsValidated;
    
    	private UserLoginManage objLoginManage = new UserLoginManage();
    
    	private UserInfo objUser = new UserInfo();
    
    	private UserInfoManage objUserManage = new UserInfoManage();
    
    	private LogDetail log = new LogDetail();
    
    	private LogManage logger = new LogManage();
    
    	Utilities utils = new Utilities();
    
    	private String userIP = "";
    
    	public void destroy() {
    
    		super.destroy();
    
    		sessionID = "";
    
    	}
    
    	/**
    	 * @see javax.servlet.http.HttpServlet#void
    	 *      (javax.servlet.http.HttpServletRequest,
    	 *      javax.servlet.http.HttpServletResponse)
    	 */
    	public void doGet(HttpServletRequest req, HttpServletResponse resp)
    			throws ServletException, IOException {
    
    		String METHOD_NAME = "doGet(HttpServletRequest, HttpServletResponse)";
    
    		userAction = req.getParameter("action");
    		userSubaction = req.getParameter("subaction");
    
    		userIP = "IP:" + req.getRemoteAddr() + " Host:" + req.getRemoteHost();
    
    		System.out.println(CLASS_NAME + " : " + METHOD_NAME + ": action =  "
    				+ userAction + ": sub-action =  " + userSubaction);
    
    		//==========
    		
    		HttpSession objSession = req.getSession(true);
    		
    		//==========
    		// load randomly selected books
    		objSession.setAttribute("random_books", new ResourceManage()
    				.selectBooksAtRandom());
    
    		// load randomly selected quotes
    		objSession.setAttribute("random_quotes", utils.selectQuotesAtRandom());
    
    		// guilty until proven innocent
    		userIsValidated = false;
    
    		if (objSession.getAttribute("user_id") != null) {
    
    			userID = ((Integer) objSession.getAttribute("user_id")).intValue();
    
    		}
    
    		if (userID == 0) {
    
    			userID = validateUser(objSession, req, resp);
    		}
    
    		if (userID != 0 || objSession.getAttribute("user_info") == null) {
    
    			// user login is validated
    			userIsValidated = true;
    			// set user id in session
    			objSession.setAttribute("user_id", new Integer(userID));
    			// check if user is admin and set in session
    			objSession.setAttribute("user_admin_flag", new Boolean(
    					objUserManage.isAdmin(userID)));
    			// set user info in session
    			objSession.setAttribute("user_info", objUserManage
    					.getUserInfo(userID));
    		}
    
    		// Next...depending on the action,
    		// check for credentials and re-route appropriately
    		System.out.println("userID = " + userID);
    
    		navigateApplication(objSession, req, resp);
    
    	}
    
    }
  2. #2
  3. No Profile Picture
    Contributing User
    Devshed Frequenter (2500 - 2999 posts)

    Join Date
    Nov 2004
    Location
    Washington DC
    Posts
    2,755
    Rep Power
    1576
    What specifically is being shared across the users?

    the problem is most likely caused because of the instance variables in your servlet.
    Those are shared across everyone using the servlet. Each request does *not* get it's own servlet. Only one servlet get's init for everyone to use. So all that means is you and your friend are using the same servlet. You get their first and the instance variables get set. When you friend uses the servlet, the instance variables will have your information saved

    I don't see specifically which variable is causing the problem; either post your full code or see if you can't find the culprit with your new knowledge

    Comments on this post

    • Yawmark agrees
    Open for extension, closed for modification
  4. #3
  5. Feelin' Groovy
    Devshed Supreme Being (6500+ posts)

    Join Date
    Aug 2001
    Location
    Chicago, IL
    Posts
    10,131
    Rep Power
    5058
    I highly recommend not using instance variables in servlets. That's almost always a design flaw.
    Yawmark
    class Sig{public static void main(String...args){\u0066or(int
    \u0020$:"v\"ʲ\"vΤ\"".to\u0043h\u0061rArray()
    )System./*goto/*$/%\u0126//^\u002A\u002Fout.print((char)(($>>
    +(~'"'&'#'))+('<'>>('\\'/'.')/\u002Array.const(~1)\*\u002F)));}}
  6. #4
  7. No Profile Picture
    Contributing User
    Devshed Frequenter (2500 - 2999 posts)

    Join Date
    Nov 2004
    Location
    Washington DC
    Posts
    2,755
    Rep Power
    1576
    Originally Posted by Yawmark
    I highly recommend not using instance variables in servlets. That's almost always a design flaw.
    I had a bug for 5 months before i realized this. The existing code had instance variables and the existing code was careful (or accidentally, Im not sure ) to make sure that the doGet/post "reset" the instance variable. That was until i came along and added some new code without realizing the impact.

    Not a good 5 months. Did learn a lot though.
    Open for extension, closed for modification
  8. #5
  9. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2005
    Posts
    38
    Rep Power
    14
    Thank you all for the lead. I'll work on this and get back. So what you are saying is that I should only use local variables? within each method?
  10. #6
  11. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2004
    Posts
    118
    Rep Power
    17

    HTTPSession


    Originally Posted by leonardjensan
    Thank you all for the lead. I'll work on this and get back. So what you are saying is that I should only use local variables? within each method?
    That's right. If you need to maintain state information for each user across multiple posts, use the HTTPSession object. It's like a Hashtable for storing any type of object. You can also write out information to the HTML source in hidden form fields (as long as it's not sensitive info).

    Comments on this post

    • Yawmark agrees
  12. #7
  13. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2005
    Posts
    38
    Rep Power
    14
    Thank you guys!!!!!! This seems to have done the job

IMN logo majestic logo threadwatch logo seochat tools logo