Access Issue for Multiple Users in WebGoat

I am currently setting up WebGoat for environment, where multiple users will log in from their devices to complete challenges at the same time. However, I encountered an issue when trying to access challenges with different user accounts.

**Error Details**:
When attempting to solve challanges from different account, I receive the following error:
```
2025-02-25T14:33:55.805+01:00  WARN 1 --- [  XNIO-2 task-3] o.h.engine.jdbc.spi.SqlExceptionHelper   : SQL Error: -104, SQLState: 23505
2025-02-25T14:33:55.805+01:00 ERROR 1 --- [  XNIO-2 task-3] o.h.engine.jdbc.spi.SqlExceptionHelper   : integrity constraint violation: unique constraint or index violation ; UK_SYGJY2S8O8DDGA2K5YHBMUVEA table: LESSON_TRACKER_ALL_ASSIGNMENTS
2025-02-25T14:33:55.811+01:00 ERROR 1 --- [  XNIO-2 task-3] io.undertow.request                      : UT005023: Exception handling request to /WebGoat/SqlInjection/attack3

jakarta.servlet.ServletException: Request processing failed: org.springframework.dao.DataIntegrityViolationException: could not execute statement [integrity constraint violation: unique constraint or index violation ; UK_SYGJY2S8O8DDGA2K5YHBMUVEA table: LESSON_TRACKER_ALL_ASSIGNMENTS] [insert into CONTAINER.lesson_tracker_all_assignments (lesson_tracker_id,all_assignments_id) values (?,?)]; SQL [insert into CONTAINER.lesson_tracker_all_assignments (lesson_tracker_id,all_assignments_id) values (?,?)]; constraint [UK_SYGJY2S8O8DDGA2K5YHBMUVEA]
	at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:1019) ~[spring-webmvc-6.0.13.jar!/:6.0.13]
	at org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:914) ~[spring-webmvc-6.0.13.jar!/:6.0.13]
	at jakarta.servlet.http.HttpServlet.service(HttpServlet.java:547) ~[jakarta.servlet-api-6.0.0.jar!/:6.0.0]
	at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:885) ~[spring-webmvc-6.0.13.jar!/:6.0.13]
	at jakarta.servlet.http.HttpServlet.service(HttpServlet.java:614) ~[jakarta.servlet-api-6.0.0.jar!/:6.0.0]
	at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74) ~[undertow-servlet-2.3.10.Final.jar!/:2.3.10.Final]
	at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) ~[undertow-servlet-2.3.10.Final.jar!/:2.3.10.Final]
	at org.springframework.web.servlet.resource.ResourceUrlEncodingFilter.doFilter(ResourceUrlEncodingFilter.java:66) ~[spring-webmvc-6.0.13.jar!/:6.0.13]
	at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:67) ~[undertow-servlet-2.3.10.Final.jar!/:2.3.10.Final]
	at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) ~[undertow-servlet-2.3.10.Final.jar!/:2.3.10.Final]
	at org.springframework.security.web.FilterChainProxy.lambda$doFilterInternal$3(FilterChainProxy.java:231) ~[spring-security-web-6.1.5.jar!/:6.1.5]
	at org.springframework.security.web.ObservationFilterChainDecorator$FilterObservation$SimpleFilterObservation.lambda$wrap$1(ObservationFilterChainDecorator.java:479) ~[spring-security-web-6.1.5.jar!/:6.1.5]
	at org.springframework.security.web.ObservationFilterChainDecorator$AroundFilterObservation$SimpleAroundFilterObservation.lambda$wrap$1(ObservationFilterChainDecorator.java:340) ~[spring-security-web-6.1.5.jar!/:6.1.5]
	at org.springframework.security.web.ObservationFilterChainDecorator.lambda$wrapSecured$0(ObservationFilterChainDecorator.java:82) ~[spring-security-web-6.1.5.jar!/:6.1.5]
	at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:128) ~[spring-security-web-6.1.5.jar!/:6.1.5]
	at org.springframework.security.web.access.intercept.AuthorizationFilter.doFilter(AuthorizationFilter.java:100) ~[spring-security-web-6.1.5.jar!/:6.1.5]
	at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240) ~[spring-security-web-6.1.5.jar!/:6.1.5]
	at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227) ~[spring-security-web-6.1.5.jar!/:6.1.5]
	at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137) ~[spring-security-web-6.1.5.jar!/:6.1.5]
	at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:126) ~[spring-security-web-6.1.5.jar!/:6.1.5]
	...
Caused by: org.hibernate.exception.ConstraintViolationException: could not execute statement [integrity constraint violation: unique constraint or index violation ; UK_SYGJY2S8O8DDGA2K5YHBMUVEA table: LESSON_TRACKER_ALL_ASSIGNMENTS] [insert into CONTAINER.lesson_tracker_all_assignments (lesson_tracker_id,all_assignments_id) values (?,?)]
	at org.hibernate.exception.internal.SQLExceptionTypeDelegate.convert(SQLExceptionTypeDelegate.java:60) ~[hibernate-core-6.2.13.Final.jar!/:6.2.13.Final]
	at org.hibernate.exception.internal.StandardSQLExceptionConverter.convert(StandardSQLExceptionConverter.java:56) ~[hibernate-core-6.2.13.Final.jar!/:6.2.13.Final]
	at org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:108) ~[hibernate-core-6.2.13.Final.jar!/:6.2.13.Final]
	at org.hibernate.engine.jdbc.internal.ResultSetReturnImpl.executeUpdate(ResultSetReturnImpl.java:278) ~[hibernate-core-6.2.13.Final.jar!/:6.2.13.Final]
	at org.hibernate.engine.jdbc.mutation.internal.AbstractMutationExecutor.performNonBatchedMutation(AbstractMutationExecutor.java:107) ~[hibernate-core-6.2.13.Final.jar!/:6.2.13.Final]
	at org.hibernate.engine.jdbc.mutation.internal.MutationExecutorSingleNonBatched.performNonBatchedOperations(MutationExecutorSingleNonBatched.java:40) ~[hibernate-core-6.2.13.Final.jar!/:6.2.13.Final]
	at org.hibernate.engine.jdbc.mutation.internal.AbstractMutationExecutor.execute(AbstractMutationExecutor.java:52) ~[hibernate-core-6.2.13.Final.jar!/:6.2.13.Final]
	at org.hibernate.persister.collection.mutation.InsertRowsCoordinatorStandard.insertRows(InsertRowsCoordinatorStandard.java:117) ~[hibernate-core-6.2.13.Final.jar!/:6.2.13.Final]
	at org.hibernate.persister.collection.BasicCollectionPersister.recreate(BasicCollectionPersister.java:109) ~[hibernate-core-6.2.13.Final.jar!/:6.2.13.Final]
	at org.hibernate.action.internal.CollectionRecreateAction.execute(CollectionRecreateAction.java:47) ~[hibernate-core-6.2.13.Final.jar!/:6.2.13.Final]
	at org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:635) ~[hibernate-core-6.2.13.Final.jar!/:6.2.13.Final]
	at org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:502) ~[hibernate-core-6.2.13.Final.jar!/:6.2.13.Final]
	at org.hibernate.event.internal.AbstractFlushingEventListener.performExecutions(AbstractFlushingEventListener.java:364) ~[hibernate-core-6.2.13.Final.jar!/:6.2.13.Final]
	at org.hibernate.event.internal.DefaultFlushEventListener.onFlush(DefaultFlushEventListener.java:39) ~[hibernate-core-6.2.13.Final.jar!/:6.2.13.Final]
	at org.hibernate.event.service.internal.EventListenerGroupImpl.fireEventOnEachListener(EventListenerGroupImpl.java:127) ~[hibernate-core-6.2.13.Final.jar!/:6.2.13.Final]
	at org.hibernate.internal.SessionImpl.doFlush(SessionImpl.java:1412) ~[hibernate-core-6.2.13.Final.jar!/:6.2.13.Final]
	at org.hibernate.internal.SessionImpl.managedFlush(SessionImpl.java:485) ~[hibernate-core-6.2.13.Final.jar!/:6.2.13.Final]
	at org.hibernate.internal.SessionImpl.flushBeforeTransactionCompletion(SessionImpl.java:2301) ~[hibernate-core-6.2.13.Final.jar!/:6.2.13.Final]
	at org.hibernate.internal.SessionImpl.beforeTransactionCompletion(SessionImpl.java:1966) ~[hibernate-core-6.2.13.Final.jar!/:6.2.13.Final]
	at org.hibernate.engine.jdbc.internal.JdbcCoordinatorImpl.beforeTransactionCompletion(JdbcCoordinatorImpl.java:439) ~[hibernate-core-6.2.13.Final.jar!/:6.2.13.Final]
	at org.hibernate.resource.transaction.backend.jdbc.internal.JdbcResourceLocalTransactionCoordinatorImpl.beforeCompletionCallback(JdbcResourceLocalTransactionCoordinatorImpl.java:169) ~[hibernate-core-6.2.13.Final.jar!/:6.2.13.Final]
	at org.hibernate.resource.transaction.backend.jdbc.internal.JdbcResourceLocalTransactionCoordinatorImpl$TransactionDriverControlImpl.commit(JdbcResourceLocalTransactionCoordinatorImpl.java:267) ~[hibernate-core-6.2.13.Final.jar!/:6.2.13.Final]
	at org.hibernate.engine.transaction.internal.TransactionImpl.commit(TransactionImpl.java:101) ~[hibernate-core-6.2.13.Final.jar!/:6.2.13.Final]
	at org.springframework.orm.jpa.JpaTransactionManager.doCommit(JpaTransactionManager.java:561) ~[spring-orm-6.0.13.jar!/:6.0.13]
	... 151 common frames omitted
Caused by: java.sql.SQLIntegrityConstraintViolationException: integrity constraint violation: unique constraint or index violation ; UK_SYGJY2S8O8DDGA2K5YHBMUVEA table: LESSON_TRACKER_ALL_ASSIGNMENTS
	at org.hsqldb.jdbc.JDBCUtil.sqlException(Unknown Source) ~[hsqldb-2.7.2.jar!/:2.7.2]
	at org.hsqldb.jdbc.JDBCUtil.sqlException(Unknown Source) ~[hsqldb-2.7.2.jar!/:2.7.2]
	at org.hsqldb.jdbc.JDBCPreparedStatement.fetchResult(Unknown Source) ~[hsqldb-2.7.2.jar!/:2.7.2]
	at org.hsqldb.jdbc.JDBCPreparedStatement.executeUpdate(Unknown Source) ~[hsqldb-2.7.2.jar!/:2.7.2]
	at org.hibernate.engine.jdbc.internal.ResultSetReturnImpl.executeUpdate(ResultSetReturnImpl.java:275) ~[hibernate-core-6.2.13.Final.jar!/:6.2.13.Final]
	... 171 common frames omitted
Caused by: org.hsqldb.HsqlException: integrity constraint violation: unique constraint or index violation ; UK_SYGJY2S8O8DDGA2K5YHBMUVEA table: LESSON_TRACKER_ALL_ASSIGNMENTS
	at org.hsqldb.error.Error.error(Unknown Source) ~[hsqldb-2.7.2.jar!/:2.7.2]
	at org.hsqldb.Constraint.getException(Unknown Source) ~[hsqldb-2.7.2.jar!/:2.7.2]
	at org.hsqldb.index.IndexAVL.insert(Unknown Source) ~[hsqldb-2.7.2.jar!/:2.7.2]
	at org.hsqldb.persist.RowStoreAVL.indexRow(Unknown Source) ~[hsqldb-2.7.2.jar!/:2.7.2]
	at org.hsqldb.TransactionManager2PL.addInsertAction(Unknown Source) ~[hsqldb-2.7.2.jar!/:2.7.2]
	at org.hsqldb.Session.addInsertAction(Unknown Source) ~[hsqldb-2.7.2.jar!/:2.7.2]
	at org.hsqldb.Table.insertSingleRow(Unknown Source) ~[hsqldb-2.7.2.jar!/:2.7.2]
	at org.hsqldb.StatementDML.insertSingleRow(Unknown Source) ~[hsqldb-2.7.2.jar!/:2.7.2]
	at org.hsqldb.StatementInsert.getResult(Unknown Source) ~[hsqldb-2.7.2.jar!/:2.7.2]
	at org.hsqldb.StatementDMQL.execute(Unknown Source) ~[hsqldb-2.7.2.jar!/:2.7.2]
	at org.hsqldb.Session.executeCompiledStatement(Unknown Source) ~[hsqldb-2.7.2.jar!/:2.7.2]
	at org.hsqldb.Session.execute(Unknown Source) ~[hsqldb-2.7.2.jar!/:2.7.2]
	... 174 common frames omitted
...
```
From the client side, the "Submit" button just does nothing. Tried on SQL Injection and XSS challanges. 

**Steps to Reproduce**
- Host a single instance of WebGoat.
- Have multiple users log in from their devices.
- Attempt to access challenges with different user accounts.

**Expected Behavior**
Each user should be able to access and complete challenges independently without encountering database integrity issues.

**Questions**
- Is this functionality supported in WebGoat?
- Are there any specific configurations or settings that need to be adjusted to allow multiple users to access challenges simultaneously?

**Environment**
- Tested on WebGoat Versions: v2023.8 and v2023.5
- Running using docker: 
  - `docker run -it -p 127.0.0.1:8080:8080 -p 127.0.0.1:9090:9090 webgoat/webgoat`


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Access Issue for Multiple Users in WebGoat #2038

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Uh oh!

Access Issue for Multiple Users in WebGoat #2038

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions