One client user sees HttpSession data belonging to another client user

Technote (FAQ)
Problem
Debugging a problem with one user seeing HttpSession data belonging to another user.
Cause
One common cause of one user seeing HttpSession data belonging to another user occurs when a PrintWriter or a HttpServletResponse gets stored on a bean (or other object) that is eventually stored either on a session or in a globally (servlet level) accessed variable.

Another cause of this problem is the use of <%! ... %> in a JSP to declare variables. The proper use for the vast majority of applications is <% ... %> (no ! mark). The ! causes variables (and methods) to be declared at the Servlet level and shared across all requests for that JSP. Without the ! mark, variables are declared at the service() method level - private to each new incoming HTTP request.
Solution
  • Check your application code to ensure you are not storing a PrintWriter or HttpServletRespone within a session object.

  • Check your JSPs to ensure you are not declaring variable using the following format: <%! ... %>. If you are, remove, the "!".











Document Information

Product categories: Software, Application Servers, Distributed Application & Web Servers, WebSphere Application Server, Sessions and Session Management
Operating system(s): AIX, HPUX, Linux, Multi-Platform, Solaris, Windows
Software version: 3.5, 4.0, 5.0, 5.1
Software edition: Advanced
Reference #: 1175500
IBM Group: Software Group
Modified date: 2004-07-29