Get started
Loading...
Important Notice - Forums is archived

To simplify things and help our users to be more productive, we have archived the current forum and focus our efforts on helping developers on Stack Overflow. You can post new questions on Stack Overflow or join our Discord channel.

Product icon
TUTORIAL

Vaadin lets you build secure, UX-first PWAs entirely in Java.
Free ebook & tutorial.

Where to include a web components css file when integrating a third party w by Martin Vyšný, 1 week ago
Recent Posts
Vaadin Forum3. Vaadin 6, 7, 8

Session sharing the logged in user

lucas carvalhaes
6 years ago Jan 12, 2016 8:47pm

Hi!
This must be basic but I have researched a LOT and it doesn't make any sense at all...
I have this Authentication class that, after a login it stores the user to the session. Ok.
Then I have a abstract definition of a view that on 'enter' checks if the current user is null and, if so, navigate
back to the login screen (to prevent acess to views).
The problem is that when my friend logs in the site, I can access the locked views in his account just by typing the URL
in the browser.

This is my authentication class:
http://pastebin.com/jt3xFurA

When any of my views 'enter' they call the 'enter' method that calls this from the abstract view:

@Override
    public void enter(ViewChangeEvent event) {
        main.updateCurrentUser();
    }

Which is:

/**
     * Updates the topbar current user or goes to login screen
     */
    public void updateCurrentUser() {
        titleBar.updateCurrentUser();

        // Leave if no user
        if (Authentication.currentUser() == null) {
            if (!navigator.getState().equals(Navigation.LOGIN)
                    && !navigator.getState().equals(Navigation.CREATEUSER)) {
                navigator.navigateTo(Navigation.LOGIN);
            }
        }
    }

Current user should return null for me since I havent logged in. My friend did but that should be in his session, shouldn't it?

Steve Demy
6 years ago Jan 13, 2016 12:02am

For any given URL a user's access has a unique UI instance but shares the same session.  Your Authentication.currentUser() call will return the data last put there, which in your example, is your friends user data.  You would need a separate key for each UI (not re-use "CURR_USER"), or store user data in each UI rather than in the common session.

lucas carvalhaes
6 years ago Jan 13, 2016 8:32am

I added a

public static long        GENID    = 0L;
    private long            ID        = 0L;

to my UI and I'm using "currentUserSessionKey + ID" as key to the session:

long ID = ((InvoidwebUI) UI.getCurrent()).getID();

So my setSessionAttribute is like this:

private static void setSessionAttribute(String key, Object attribute) {
        long ID = ((InvoidwebUI) UI.getCurrent()).getID();
        // Save to vaadin session
        VaadinSession.getCurrent().setAttribute(key + ID, attribute);
        VaadinSession.getCurrent().getSession().setAttribute(key + ID, attribute);
    }

And still the same behavior is happening.

My UI ID's are beeing created in the init call:

@Override
    protected void init(VaadinRequest request) {
       [...]
        // Increase the ui id, store this ui id
        ID = GENID++;
    }