Stateful Session EJB keeps state in multiple JSP sessions
I have run into a problem when running a simple test JSP/EJB web application that I put together just to try out some concepts. There are 2 JSP pages in the application:
Login.jsp
UserInfo.jsp
The login page requests a userID and password and uses a stateful session EJB to perform the login validation - essentially by looking up the user in a user table. If validation succeeds, login.jsp sets a session attribute "userID" (getServletContext.setAttribute("userID", userID);) and redirects to UserInfo.jsp. UserInfo.jsp simply displays the userID by making a call to getServletContext.getAttribute("userID"); If UserInfo.jsp gets a null from this call, (which is what I was expecting when coming in from another session that hasn't logged in), then it would redirect to the Login.jsp page.
Unfortunately, it's not working like this. In fact, it seems as though the "session" is maintaining state across user/browser sessions. For example, I login once as userA and I get redirected to UserInfo.jsp displaying "userA". Then, from another browser (from another machine, doesn't matter), I login as userB - this gets redirected to UserInfo.jsp displaying "userB" as it should. Now, if I refresh userA's UserInfo.jsp page, it display's "userB" instead of "userA".
Even more interesting, if I navigate directly to the UserInfo.jsp page without logging in, I see the userID of the last user that has logged in. I was expecting the getServletContext().getAttribute("userID") call to return null in this case, but it didn't.
Obviously, this is not the behavior I want as a user should be required to login prior to having access to the UserInfo page. Am I understanding/using the servlet context correctly, or is there something else I should be doing here?
Does this seem right that the same servlet context is being accessed from different JSP sessions? If so, then what is the preferred method for storing this userID so that I know within any given user's session that he has validly logged in and so that I can prevent users that have not logged in from navigating directly to UserInfo.jsp. In my "real" application I'm going to need to store more information along with some time stamps in order to implement session timeouts etc, but I want to get the basics of this process down first.
I'd appreciate any comments or insight into this that anyone may be able to provide.
Thanks in advance for any help.
