Hi guys, I think this is the right place for my question. My original subject was containing just [jboss-user] and I guess it might be the cause of a missing response
Any help greatly appreciated! Thanks, -Nestor On 10/26/07, Nestor Urquiza <[EMAIL PROTECTED]> wrote: > So I have found my own answer, basically if the request is made using > Cookie: JSESSIONID=.<node name> > > The curious part is that when a request is made and the proper node > responds the session Id keeps being ".<node name>". I would expect the > cookie to be rewritten by the server but it never does. > > This makes me think about an attack possibility. If a hacker somehow > manage to redirect a user with that session Id to a cluster > environment he could potentially access user sensitive data because in > fact he knows the user session? > > I have done even tests from two different IPs and my program kept the > session with the two requests using the same ".node3C1" session Id: > > [Fri Oct 26 10:22:04 2007] [30497:26304] [debug] > ajp_done::jk_ajp_common.c (2194): recycling connection pool slot=0 for > worker node3C1 > [Fri Oct 26 10:22:35 2007] [30495:26304] [debug] > wc_maintain::jk_worker.c (318): Maintaining worker node1C1 > [Fri Oct 26 10:22:35 2007] [30495:26304] [debug] > service::jk_lb_worker.c (735): service sticky_session=1 id='.node3C1' > [Fri Oct 26 10:22:35 2007] [30495:26304] [debug] > get_most_suitable_worker::jk_lb_worker.c (634): searching worker for > partial sessionid .node3C1 > [Fri Oct 26 10:22:35 2007] [30495:26304] [debug] > get_most_suitable_worker::jk_lb_worker.c (642): searching worker for > session route node3C1 > [Fri Oct 26 10:22:35 2007] [30495:26304] [debug] > get_most_suitable_worker::jk_lb_worker.c (655): found worker node3C1 > (node3C1) for route node3C1 and partial sessionid .node3C1 > [Fri Oct 26 10:22:35 2007] [30495:26304] [debug] > service::jk_lb_worker.c (755): service worker=node3C1 > jvm_route=node3C1 > [Fri Oct 26 10:22:35 2007] [30495:26304] [debug] > ajp_service::jk_ajp_common.c (1734): processing node3C1 with 2 retries > [Fri Oct 26 10:22:35 2007] [30495:26304] [debug] > ajp_done::jk_ajp_common.c (2194): recycling connection pool slot=0 for > worker node3C1 > [Fri Oct 26 10:23:15 2007] [30496:26304] [debug] > wc_maintain::jk_worker.c (318): Maintaining worker node1C1 > [Fri Oct 26 10:23:15 2007] [30496:26304] [debug] > service::jk_lb_worker.c (735): service sticky_session=1 id='.node3C1' > [Fri Oct 26 10:23:15 2007] [30496:26304] [debug] > get_most_suitable_worker::jk_lb_worker.c (634): searching worker for > partial sessionid .node3C1 > [Fri Oct 26 10:23:15 2007] [30496:26304] [debug] > get_most_suitable_worker::jk_lb_worker.c (642): searching worker for > session route node3C1 > [Fri Oct 26 10:23:15 2007] [30496:26304] [debug] > get_most_suitable_worker::jk_lb_worker.c (655): found worker node3C1 > (node3C1) for route node3C1 and partial sessionid .node3C1 > [Fri Oct 26 10:23:15 2007] [30496:26304] [debug] > service::jk_lb_worker.c (755): service worker=node3C1 > jvm_route=node3C1 > [Fri Oct 26 10:23:15 2007] [30496:26304] [debug] > ajp_service::jk_ajp_common.c (1734): processing node3C1 with 2 retries > [Fri Oct 26 10:23:15 2007] [30496:26304] [debug] > ajp_connection_tcp_send_message::jk_ajp_common.c (892): 00f0 30 00 > 06 00 07 6E 6F 64 65 33 43 31 00 FF 00 00 - 0....node3C1.... > [Fri Oct 26 10:23:15 2007] [30496:26304] [debug] > ajp_done::jk_ajp_common.c (2194): recycling connection pool slot=0 for > worker node3C1 > > Any ideas about how to make the server force the creation of a brand > new random session id after receiving any request using a non existing > session id? > > Thanks!, > > -Nestor > > > On 10/15/07, Nestor Urquiza <[EMAIL PROTECTED]> wrote: > > Hello guys, > > > > Just new to JBoss World so if this is not the right list please be > > kind and advise where should I post the question. > > > > Currently we have a cluster formed of three nodes, each of them in > > separate machines. I want to be able to target a specific node from my > > HTTP request. Is there any HTTP Header/GET/POST param that would allow > > me to make one node respond to my request? > > > > Thanks in advance, > > > > -Nestor > > > _______________________________________________ jboss-user mailing list [email protected] https://lists.jboss.org/mailman/listinfo/jboss-user
