Session sharing the logged in user

Vaadin 6 / 7 / 8
1

Hi!
This must be basic but I have researched a LOT and it doesn’t make any sense at all…
I have this Authentication class that, after a login it stores the user to the session. Ok.
Then I have a abstract definition of a view that on ‘enter’ checks if the current user is null and, if so, navigate
back to the login screen (to prevent acess to views).
The problem is that when my friend logs in the site, I can access the locked views in his account just by typing the URL
in the browser.

This is my authentication class:
http://pastebin.com/jt3xFurA

When any of my views ‘enter’ they call the ‘enter’ method that calls this from the abstract view:

@Override public void enter(ViewChangeEvent event) { main.updateCurrentUser(); } Which is:

[code]
/**
* Updates the topbar current user or goes to login screen
*/
public void updateCurrentUser() {
titleBar.updateCurrentUser();

    // Leave if no user
    if (Authentication.currentUser() == null) {
        if (!navigator.getState().equals(Navigation.LOGIN)
                && !navigator.getState().equals(Navigation.CREATEUSER)) {
            navigator.navigateTo(Navigation.LOGIN);
        }
    }
}

[/code]Current user should return null for me since I havent logged in. My friend did but that should be in his session, shouldn’t it?

2

For any given URL a user’s access has a unique UI instance but shares the same session. Your Authentication.currentUser() call will return the data last put there, which in your example, is your friends user data. You would need a separate key for each UI (not re-use “CURR_USER”), or store user data in each UI rather than in the common session.

3

I added a

    public static long        GENID    = 0L;
    private long            ID        = 0L;

to my UI and I’m using “currentUserSessionKey + ID” as key to the session:

long ID = ((InvoidwebUI) UI.getCurrent()).getID(); So my setSessionAttribute is like this:

private static void setSessionAttribute(String key, Object attribute) { long ID = ((InvoidwebUI) UI.getCurrent()).getID(); // Save to vaadin session VaadinSession.getCurrent().setAttribute(key + ID, attribute); VaadinSession.getCurrent().getSession().setAttribute(key + ID, attribute); } And still the same behavior is happening.

My UI ID’s are beeing created in the init call:

    @Override
    protected void init(VaadinRequest request) {
       [...]

        // Increase the ui id, store this ui id
        ID = GENID++;
    }