Stumbling Stone: sessionScope is for everyone…
Today, I saw something surprising that I want to share with you.
sessionScope is for everyone… Many of us know that one should be careful with the sessionScope because the handling can be quite difficult if you don’t take care whether the sessionScope is deleted or renewd if you don’t need the value anymore. Maybe I will write another article about my favorite topic, because I made a lot of mistakes in my first XPages applications.
So, what do I mean with the heading? Imagine the following example:
User1 writes a value “test 1” in the sessionScope variable “test container”. We know that means that, as long as the user is logged in, he can access this value and no other user can access this variable with this value.
That’s not correct!
User2 can also access this value, under certain circumstances. It is not very likely to happen, but if User 1 and User2 use the same computer, they share their sessionScope.
The sessionScope is saved in a cookie. And as long as this cookie isn’t deleted, all users who use the computer will have the value of User1 in their sessionScope. Even if you logout, close the browser and reopen the browser. The cookie is still there, and so is the sessionScope value.
You can try it very easily:
<?xml version="1.0" encoding="UTF-8"?>
<xp:view xmlns:xp="http://www.ibm.com/xsp/core">
<xp:inputText id="inputText1"></xp:inputText>
<xp:br/>
<xp:button value="Label" id="button1">
<xp:eventHandler event="onclick" submit="true"
refreshMode="complete">
<xp:this.action><![CDATA[#{javascript:
synchronized(sessionScope) {
sessionScope.put("test", getComponent("inputText1").value);
}}]]>
</xp:this.action>
</xp:eventHandler>
</xp:button>
<xp:br/>
<xp:text escape="true" id="computedField1">
<xp:this.value><![CDATA[#{javascript:sessionScope.get("test")}]]></xp:this.value>
</xp:text>
</xp:view>
Open this page as User1, set any value, close the browser and reopen it, login with User2 and open this page. You will see the old value from User1.
So, if anyone has an application which is used in public, or the users of the application could switch their computer, you should be very careful. It could lead to the strangest errors in your application, or cause some trouble because of data security/ data privacy. If you even think of the idea to control some access rights via sessionScope, or store a user related object in the sessionScope, you maybe should think of another solution.
Matthias Nicklisch 
You are correct … its because “session” in sessionScope does not refer to the authenticated Domino session, it refers to the http session, which as long as it is held open, not expired, etc, is persistent. Typically this restricted to 30mins of inactivity, or is typically terminated when the browser is closed (note that means the entire browser, not just the current tab you have open).
I added an xSnippets to clear the cookie and logout http://openntf.org/XSnippets.nsf/snippet.xsp?id=clear-session-whole-server. This is particularly important if you have a multi-NSF XPages application, because sessionScope is for a browser session for a specific NSF. You can clear the sessionScope map via SSJS, but you only have access to the current NSFs sessionScope, so there isn’t a way I’ve found in SSJS to clear the sessionScope map for all NSFs the user has accessed.