Vaadin session not unique

I have a problem with Vaadin session. I uses Vaddin session variable to store the user name when a user logins and displays it at the side menu bar. I noticed when user1 logins on machine A, the side bar shows user1. Then, user2 logins on machine B and it shows user2 at the side bar. Now user1 navigates to another page by clicking on the menu. Page refreshes and now it shows it is user2 eventhough this is machine A. I have added the session id to the menu bar and I see that user1 session ID changes to session ID of user2. I use Vaadin.getCurrent().getSession to set and get session variables. This is a serious secuity issue for my app. Please help.

I am using Vaadin 8.4.4, Tomcat 9.

We take possible security issues always seriously. So it would be desirable we get more information on this.

I have seen similar questions in the past, and so far the reasons behind issues have been found in application code. I would recommend to check these first

  • Are you calling getCurrent().getSession() from background thread? That is not safe if the threads are threadpooled.

  • Are you getting user info from service that is Injected or Autowired? Check that scopes are right. E.g. if you have ApplicationScoped bean serving info instead of SessionScoped, that will be shared between sessions, which is probably not right.

  • See also

I would ask you to create simplified test application stripped from other logic, that demonstrates the issue. If that reveals that issue is real, please open an issue at and link the app there.