Posts Tagged: ‘Stumbling Stones’

Stumbling Stone: sessionScope is for everyone…

19. Juli 2012 Posted by airwolf89

Today, I saw something surprising that I want to share with you.

sessionScope is for everyone… Many of us know that one should be careful with the sessionScope because the handling can be quite difficult if you don’t take care whether the sessionScope is deleted or renewd if you don’t need the value anymore. Maybe I will write another article about my favorite topic, because I made a lot of mistakes in my first XPages applications.

So, what do I mean with the heading? Imagine the following example:

User1 writes a value “test 1″ in the sessionScope variable “test container”. We know that means that, as long as the user is logged in, he can access this value and no other user can access this variable with this value.

That’s not correct!

User2 can also access this value, under certain circumstances. It is not very likely to happen, but if User 1 and User2 use the same computer, they share their sessionScope.

The sessionScope is saved in a cookie. And as long as this cookie isn’t deleted, all users who use the computer will have the value of User1 in their sessionScope. Even if you logout, close the browser and reopen the browser. The cookie is still there, and so is the sessionScope value.

You can try it very easily:

<?xml version="1.0" encoding="UTF-8"?>
  <xp:view xmlns:xp="http://www.ibm.com/xsp/core">
    <xp:inputText id="inputText1"></xp:inputText>
    <xp:br/>
    <xp:button value="Label" id="button1">
      <xp:eventHandler event="onclick" submit="true"
        refreshMode="complete">
        <xp:this.action><![CDATA[#{javascript:
          synchronized(sessionScope) {
            sessionScope.put("test", getComponent("inputText1").value);
          }}]]>
      </xp:this.action>
    </xp:eventHandler>
  </xp:button>
  <xp:br/>
  <xp:text escape="true" id="computedField1">
    <xp:this.value><![CDATA[#{javascript:sessionScope.get("test")}]]></xp:this.value>
  </xp:text>
</xp:view>

Open this page as User1, set any value, close the browser and reopen it, login with User2 and open this page. You will see the old value from User1.
So, if anyone has an application which is used in public, or the users of the application could switch their computer, you should be very careful. It could lead to the strangest errors in your application, or cause some trouble because of data security/ data privacy. If you even think of the idea to control some access rights via sessionScope, or store a user related object in the sessionScope, you maybe should think of another solution.


Filed under: Notes & XPages, Stumbling Stones Tagged: cookie, Notes, Security, Serverside Javascript, Session, sessionScope, XPages

Stumbling Stones: Difference between xp:panel and xp:div

2. April 2012 Posted by airwolf89

Today another stumbling stone.

With this post I want to announce that I will write this Blog in english from now on to reach more readers throughout the world. My old posts will be translated step by step. I hope you understand this step and continue reading my Blog.

But back to topic. Today I was customizing a module in one of my applications. The structure was implemented via xp:panel elements. I wanted to save some performance and wanted to change it to xp:div.

By the way, what is the difference between xp:panel and xp:div, you might ask. Well, it is quite easy. Both controls are container controls which are rendered as a <div> element in HTML. The difference is that you can define a datasource in xp:panel elements. Therefore, xp:panel and xp:div references different Java-classes in the backend. The class for xp:panel is more complex, that means you a bit more serverload. Here is the Java code generated:

 

xp:panel:
private UIComponent createPanel2(FacesContext context,
      UIComponent parent, PageExpressionEvaluator evaluator) {
   UIPanelEx result = new UIPanelEx();
   return result;
}

xp:div
private UIComponent createDiv(FacesContext context,
      UIComponent parent, PageExpressionEvaluator evaluator) {
   XspDiv result = new XspDiv();
   return result;
}

 

It seems not worth to mention, but imagine you have an application with, let’s say 200 div containers throughout the application. With each the server has to load the more complex class and prepare the functionality to create a datasource. If you use xp:div instead, the serverload may decrease a bit. I do not have some statistics to prove how it affects the applications performance in detail, but it is alsways a good idea to reach for maximum performance of an application.

So, what was the problem? I changed the tags to xp:div, and the design of my module was affected. I wondered, because I was thinking both elements are rendered as a <div> element in HTML. But a short glance into the Firebug told me something. For two panels, I didn’t define an ID attribute. So, the second difference between xp:div and xp:panel is that xp:panels without an ID attribute are NOT rendered in an XPage. This could affect either some CSS hierarchies and also, if you need every pixel in a container, affects the way it is displayed. In my case it had the result that an image, which I used as a button was not displayed next to an inputBox, it was displayed below that.

Here an example with the output:

 

Without IDs:

XSP:
<xp:panel>
   <xp:panel>
      test 1
   </xp:panel>
</xp:panel>

<xp:br/>

<xp:div>
   <xp:div>
      test 2
   </xp:div>
</xp:div>

HTML:
test 1
<br>
<div>
   <div>
      test 2
   </div>
</div>

With IDs:

XSP:
<xp:panel id="panel1">
   <xp:panel id="panel2">
      test 1
   </xp:panel>
</xp:panel>

<xp:br/>

<xp:div id="div1">
   <xp:div id="div2">
      test 2
   </xp:div>
</xp:div>

HTML:
<div id="view:_id1:panel1">
   <div id="view:_id1:panel2">
      test 1
   </div>
</div>
<br>
<div id="view:_id1:div1">
   <div id="view:_id1:div2">
      test 2
   </div>
</div>

 

This is not a big deal, if you know that and always set an ID attribut, as it should be, you won’t encounter that problem. But like it is always, you have to know it or you get confused by its consequences.


Filed under: Stumbling Stones Tagged: Attribute, CSS, Datasource, Hierarchy, HTML, Java, Notes, Stumbling Stone, xp:div, xp:panel, XPages