Session mix up - apache httpd with mod_jk, tomcat, spring security - serving data of other user

Question

Recently we have faced a serious problem, that one user was served data of another user. This problem is almost impossible to reproduce.

We are using standard logged

Answer 1

One of possible problems may be second login attempt. Consider following case:

• User opens two browser tabs with two login forms.
• Tab 1: do login as user_1. Load some data into the HTTP session.
• Tab 2: do login as user_2. Load some data into the HTTP session.

In most browsers it will be the same HTTP session. So actually you will have data from user_1 and user_2 combined in one HTTP session. Any page that uses session objects may be affected.

You have two options here:

• Prevent this situation. Detect second login attempt and ask user to do logout first. It's easy with Spring Security, see code below.
• If you absolutely need one account per browser tab then you can store your session data in a map per username.

You can prevent second login attempt thanks to Concurrent Session Control fetaure:

    ...
    
        
    

Is it already done in your application?