One user seeing another user's data

Discussions

Web tier: servlets, JSP, Web frameworks: One user seeing another user's data

  1. One user seeing another user's data (6 messages)

    hi all,
       The problem in the context...
    Ours is a J2ee application and the problem we are facing is,
    when a user logs in he is able to see the data that belongs to another user,which he is not suppose to.
    We thought this could be b'os of caching and have implemented all possible solutions to prevent caching.
    But in vain.
    So if anyone can diagonise this problem and suggest a solution,it will be of great help,since the application is in the production environment.
    Thanks in advance.
    Rashmi

    Threaded Messages (6)

  2. Do you have a proxy server?[ Go to top ]

    Do your users access the application through a proxy server? I have seen this problem when proxy server cachec the pages. To solve this issue, you need to ensure that each page URL is unique so that proxy server is fooled. Try generating a unique number and adding it to your URLs.
  3. Hi,

    This could also be happening because the web server is reusing the session objects. This should be solved by invalidating the session when the user logs out.

    Best regards, Mircea
  4. hi all,   The problem in the context...Ours is a J2ee application and the problem we are facing is,when a user logs in he is able to see the data that belongs to another user,which he is not suppose to.We thought this could be b'os of caching and have implemented all possible solutions to prevent caching.But in vain.So if anyone can diagonise this problem and suggest a solution,it will be of great help,since the application is in the production environment.Thanks in advance.Rashmi
    This is a common problem that cannot be avoided. The best solution is to have your users sign a waiver that absolves your company's responsibility from letting users see others' data.
  5. This is a common problem that cannot be avoided. The best solution is to have your users sign a waiver that absolves your company's responsibility from letting users see others' data.
    Give me a break. It may be a common problem, but that does not mean it cannot be avoided. I have had to develop several applications that had to *guarentee* there was no collusion of customer data. Whether its a bad query or a poorly maintained application context, it is correctable. Absolving liability is a cop-out -- Find the bug and fix it.
  6. This is a common problem that cannot be avoided. The best solution is to have your users sign a waiver that absolves your company's responsibility from letting users see others' data.
    Give me a break. It may be a common problem, but that does not mean it cannot be avoided. I have had to develop several applications that had to *guarentee* there was no collusion of customer data. Whether its a bad query or a poorly maintained application context, it is correctable. Absolving liability is a cop-out -- Find the bug and fix it.
    Dude, my previous entry was sarcasm. You give ME a break.
    Cheers!
  7. One user seeing another user's data[ Go to top ]

    i've seen this once as a result of a programming error: someone either inadvertently cached a session object in the application context or set it as an instance variable on a singleton. either way, whichever thread set the session object last was the one the rest of the users were viewing. so we were getting all kinds of weird behavior that wasn't reproducible without load.

    if you store data-centric user permissions in the session, i'd start there...possibly write a HttpSessionBindingListener and compare what's getting dumped into the session against the user that session should belong to...

    good luck...