0

I am facing a strange issue:

I have a page with an email field in it when I submit the page the control goes to a servlet where I am saving the email value in session by using 

request.getSession().setAttribute("email_Value", request.getParameter("email_Value"));

Now, on the basis of this email value I lookup the database and extracts the information for this user if information found then remove the session attribute by 

request.getSession().removeAttribute("email_Value");

if not then redirect the request to same page with an error message and prefilled email value which I am extracting from session using 

if(null!= request.getSession().getAttribute("email_Value")){
            String Email = (String)(request.getSession().getAttribute("email_Value"));
            request.getSession().removeAttribute("email_Value");            
    }

It works fine on our deleopment, UAT environments but problem is coming only on PROD where we have load balancer.

The issue is that while coming back to the same page it change the email address field witch some different email value which I have not even entered on my machine i.e. it is accessing someone else session.

Could someone provide any pointer to resolve this issue. As this is Production issue, any help would be appreciated.

Thanks

user3306543
  • 201
  • 1
  • 3
  • 12

3 Answers3

0

looks like you need to use sticky-sessions. This must be configured in the apache

injecteer
  • 20,038
  • 4
  • 45
  • 89
0

Http is a stateless protocol meaning, the server doesnt know to identify a client over a period of time. When a client makes a call to the server (load balanced, say server_1 & server_2), it could reach either server_1 or server_2, assume the request reaches the server_1, now your code creates a session and adds the email to the session. When the same client makes another call to the server, this time it hits server_2, the email which is in server_1 session is not available to server_2 and server_2 might have email from another session thats why you are seeing another email address. Hope its clear.

Solution:

  1. URL Rewriting
  2. Cookies
Community
  • 1
  • 1
Sajan Chandran
  • 11,287
  • 3
  • 29
  • 38
  • Thanks for your reply, but in our application we also have login functionality where the entire user DTO object is saved in session and accessing the values from registration to login or update profile page. We are not doing anything different there and still it is working. ALso do you think any pass by reference or something like that is causing issue. – user3306543 Jun 03 '14 at 10:20
  • Moreover, if my request is coming to server 2 then ideally it should not get any value infact it should be the new session for server 2 but it is getting value from session which is probably created by some other user from different machine. – user3306543 Jun 03 '14 at 10:23
0

If your application is deployed on multiple servers, chances are there that your sessions may get transferred between servers. Also, in such scenarios, if you are storing any objects in sessions, they HAVE TO implement Serializable interface. If they don't, then the data will not be persisted when the session gets migrated.

Also, it seems that the session gets interchanged with another one. Are you storing anything at Application level? I would also advice you to look into HttpSessionActivationListener for your case.

Darshan Mehta
  • 30,102
  • 11
  • 68
  • 102
  • Also, please make sure that you aren't storing anything in instance variables of `servlet`. Everything has to be manipulated by local variables. – Darshan Mehta Jun 03 '14 at 10:35
  • Could you elaborate more that how and where do I need to implement Serializable interface. – user3306543 Jun 03 '14 at 10:35
  • All the user defined objects being put in session as attribute have to implement Serializable. UserDTO in your case I believe. – Darshan Mehta Jun 03 '14 at 10:38
  • I am doing exactly the same way, I have mentioned in the code snippet above. Do you see any problem in that or do you want me to initialize session variable first like HttpSession session = request.getSession(); and then set the attribute. – user3306543 Jun 03 '14 at 10:38
  • Yes, I just checked that User DTO object implements Serializable, what can I do for this single email field? – user3306543 Jun 03 '14 at 10:40
  • I believe you are using `request.getSession(boolean)` in your application. `getSession()` will always give you a new session. Read this -> http://www.coderanch.com/t/364672/Servlets/java/request-getSession-request-getSession-boolean – Darshan Mehta Jun 03 '14 at 10:41
  • No I am not using request.getSession(boolean), and if getSession will always return new session then in my case I should always get blank value but instead I am getting value that too from different session object. I am still not clear what changes do I need to make to overcome this issue. – user3306543 Jun 03 '14 at 10:49
  • Are you storing email id or any other value in static/instance variable in any class. – Darshan Mehta Jun 03 '14 at 11:01
  • No I am not storing any value in static instance just saving directly to session and fetching from session. – user3306543 Jun 03 '14 at 11:34
  • I am directly setting request.getParameter in session, do you think it can have any impact? – user3306543 Jun 03 '14 at 11:44
  • Hello All, please let me know some solution – user3306543 Jun 03 '14 at 14:23
  • May I know which load balancer you are using? Also, which server you are using? – Darshan Mehta Jun 03 '14 at 14:41
  • We have 2 tomcat servers on PROD...the strange thing is that we are using other variables too in session which are not object but simply string variables. However there we have taken the value from request through request.getParameter() and assigning it to local variable and that local variable we are setting in session. however here I am directly setting request.getParameter()....can this be the issue – user3306543 Jun 03 '14 at 15:27
  • It doesn't cause any issue if the request parameter is retrieved into local variable before being set into session or not. However, it seems there is something wrong in the application itself rather than server configuration. Are you accessing session in scriptlet on JSP? Can you post the code where you are setting and getting this session attribute? Also, see this link -> http://www.coderanch.com/t/482072/Tomcat/Session-Crossover-Tomcat – Darshan Mehta Jun 04 '14 at 06:06