0

RESOLVED. This question can be deleted by moderators

I have a very simple site written using Java EE (JSPs, Java, Tomcat server). I want to implement a simple login system. I thought I got the registration and login working; however, there is a huge problem with the way I'm doing it.

Let's say Alice logs in. She is able to view her profile with her information, everything looks normal so far for Alice. Then Eve comes around and wants to log on. She does and is taken to her profile, everything looks normal for Eve. Then Alice reloads her profile to find that the site now has her logged in as Eve!

So to reiterate: after one person is logged in, anyone is able to go to the site and be logged on to that account. And the most recent person to log on is the active account.

How do you keep track of session information like this so that multiple different accounts can be logged on using the site at the same time?

Thanks!

EDIT: This ended up being a very simple fix.. I just need to use setAttribute("EMAIL", userId); rather than the stupid way I did it which was just using a global String variable

Arjan Tijms
  • 37,782
  • 12
  • 108
  • 140
Corey
  • 771
  • 3
  • 14
  • 32
  • Related: http://stackoverflow.com/questions/3106452/how-do-servlets-work-instantiation-session-variables-and-multithreading/3106909#3106909 – BalusC Dec 09 '11 at 16:12
  • @Corey - If you have figured out the answer to your own question, please post it as an actual answer, and then accept it. That way, others who are in a similar situation may be able to learn from your efforts. Thanks! – cdeszaq Dec 20 '11 at 14:16

2 Answers2

0

Rather than try to roll your own security, use an existing framework, like Spring Security. Out of the box, it gives you basic login capabilities and handles securing pages using a role-based authentication scheme.

cdeszaq
  • 30,869
  • 25
  • 117
  • 173
0

Reading your problem, I think that you store the last logged user's credentials in an instance variable of one of your servlets. This causes the last person to log in to overwrite everyone's credentials...

If you want a simple authentication, you can use Java EE's provided system : http://docs.oracle.com/javaee/5/tutorial/doc/bncbx.html

Once a user logs in, put his own credentials in his Http session (request.getSession().put(username, )). Then, everyone will have a distinct profile.

Olivier Croisier
  • 6,139
  • 25
  • 34