Today, I saw something surprising that I want to share with you.
sessionScope is for everyone… Many of us know that one should be careful with the sessionScope because the handling can be quite difficult if you don’t take care whether the sessionScope is deleted or renewd if you don’t need the value anymore. Maybe I will write another article about my favorite topic, because I made a lot of mistakes in my first XPages applications.
So, what do I mean with the heading? Imagine the following example:
User1 writes a value “test 1″ in the sessionScope variable “test container”. We know that means that, as long as the user is logged in, he can access this value and no other user can access this variable with this value.
That’s not correct!
User2 can also access this value, under certain circumstances. It is not very likely to happen, but if User 1 and User2 use the same computer, they share their sessionScope.
The sessionScope is saved in a cookie. And as long as this cookie isn’t deleted, all users who use the computer will have the value of User1 in their sessionScope. Even if you logout, close the browser and reopen the browser. The cookie is still there, and so is the sessionScope value.
You can try it very easily:
<?xml version="1.0" encoding="UTF-8"?>
<xp:view xmlns:xp="http://www.ibm.com/xsp/core">
<xp:inputText id="inputText1"></xp:inputText>
<xp:br/>
<xp:button value="Label" id="button1">
<xp:eventHandler event="onclick" submit="true"
refreshMode="complete">
<xp:this.action><![CDATA[#{javascript:
synchronized(sessionScope) {
sessionScope.put("test", getComponent("inputText1").value);
}}]]>
</xp:this.action>
</xp:eventHandler>
</xp:button>
<xp:br/>
<xp:text escape="true" id="computedField1">
<xp:this.value><![CDATA[#{javascript:sessionScope.get("test")}]]></xp:this.value>
</xp:text>
</xp:view>
Open this page as User1, set any value, close the browser and reopen it, login with User2 and open this page. You will see the old value from User1.
So, if anyone has an application which is used in public, or the users of the application could switch their computer, you should be very careful. It could lead to the strangest errors in your application, or cause some trouble because of data security/ data privacy. If you even think of the idea to control some access rights via sessionScope, or store a user related object in the sessionScope, you maybe should think of another solution.
Filed under: Notes & XPages, Stumbling Stones Tagged: cookie, Notes, Security, Serverside Javascript, Session, sessionScope, XPages
