Hi to all! We have an JSP application (created with JDeveloper 3.1.1.2) running on Oracle iAS 1.0.1 server. The data management framework is BC4J objects. The application modules handling is set to statefull (by default). There is a problem when giving the application modules instances to the HTTP sessions. Details: 1. A browser (user) enters de application and gets a new application module instance. 2. It executes a query on a ViewObject that returns a certain data set. 3. After a while, the browser is closed. 4. Another browser enters the application elsewhere. 5. Usually (not always) it is given the instance that displays the ViewObject with the last data set queried.
Another case, following the same steps, happens when the first user makes a transaction (remember we are in statefull) and doesn�t click Commit. Then the browser is closed. A second browser (opened later) can get the session with the Commit and Rollback links activated. This two cases produce errors on the seconds (and further) browsers which try to do transactions or simple queries in this "non-valid" instances. This is not a secure way to work because a user may see data not having permissions to. How can we work around this? Is this normal? Is there any way through which we can close or destroy the instances assigned to closed HTTP sessions? We�re having real troubles with this. Thank in advance... ==========================================================================To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST". For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST DIGEST". Some relevant FAQs on JSP/Servlets can be found at: http://archives.java.sun.com/jsp-interest.html http://java.sun.com/products/jsp/faq.html http://www.esperanto.org.nz/jsp/jspfaq.jsp http://www.jguru.com/faq/index.jsp http://www.jspinsider.com
