Home > Notes & XPages, Stumbling Stones > Stumbling Stone: sessionScope is for everyone…

Stumbling Stone: sessionScope is for everyone…

Today, I saw something surprising that I want to share with you.

sessionScope is for everyone… Many of us know that one should be careful with the sessionScope because the handling can be quite difficult if you don’t take care whether the sessionScope is deleted or renewd if you don’t need the value anymore. Maybe I will write another article about my favorite topic, because I made a lot of mistakes in my first XPages applications.

So, what do I mean with the heading? Imagine the following example:

User1 writes a value “test 1” in the sessionScope variable “test container”. We know that means that, as long as the user is logged in, he can access this value and no other user can access this variable with this value.

That’s not correct!

User2 can also access this value, under certain circumstances. It is not very likely to happen, but if User 1 and User2 use the same computer, they share their sessionScope.

The sessionScope is saved in a cookie. And as long as this cookie isn’t deleted, all users who use the computer will have the value of User1 in their sessionScope. Even if you logout, close the browser and reopen the browser. The cookie is still there, and so is the sessionScope value.

You can try it very easily:

<?xml version="1.0" encoding="UTF-8"?>
  <xp:view xmlns:xp="http://www.ibm.com/xsp/core">
    <xp:inputText id="inputText1"></xp:inputText>
    <xp:button value="Label" id="button1">
      <xp:eventHandler event="onclick" submit="true"
          synchronized(sessionScope) {
            sessionScope.put("test", getComponent("inputText1").value);
  <xp:text escape="true" id="computedField1">

Open this page as User1, set any value, close the browser and reopen it, login with User2 and open this page. You will see the old value from User1.
So, if anyone has an application which is used in public, or the users of the application could switch their computer, you should be very careful. It could lead to the strangest errors in your application, or cause some trouble because of data security/ data privacy. If you even think of the idea to control some access rights via sessionScope, or store a user related object in the sessionScope, you maybe should think of another solution.

  1. 19/07/2012 at 3:42 pm

    You are correct … its because “session” in sessionScope does not refer to the authenticated Domino session, it refers to the http session, which as long as it is held open, not expired, etc, is persistent. Typically this restricted to 30mins of inactivity, or is typically terminated when the browser is closed (note that means the entire browser, not just the current tab you have open).

  2. 20/07/2012 at 8:30 am

    I added an xSnippets to clear the cookie and logout http://openntf.org/XSnippets.nsf/snippet.xsp?id=clear-session-whole-server. This is particularly important if you have a multi-NSF XPages application, because sessionScope is for a browser session for a specific NSF. You can clear the sessionScope map via SSJS, but you only have access to the current NSFs sessionScope, so there isn’t a way I’ve found in SSJS to clear the sessionScope map for all NSFs the user has accessed.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: