[Bug 63695] session_cookie attribute does not work?
https://bz.apache.org/bugzilla/show_bug.cgi?id=63695 Rainer Jung changed: What|Removed |Added Status|NEW |RESOLVED Resolution|--- |INVALID -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 63695] session_cookie attribute does not work?
https://bz.apache.org/bugzilla/show_bug.cgi?id=63695 --- Comment #7 from kimc@gmail.com --- Thank you Rainer, I changed my configuration as you adviced like the below. And It works as I intended finally. worker.list=worker_lb worker.worker_lb.type=lb worker.worker_lb.balance_workers=engine1,engine2 worker.worker_lb.session_cookie=LBSESSIONID worker.worker_lb.sticky_session=true worker.engine1.host=localhost worker.engine1.port=9910 worker.engine1.route=engine1 worker.engine1.reference=worker.default worker.engine2.host=localhost worker.engine2.port=9920 worker.engine2.route=engine2 worker.engine2.reference=worker.default You can close this subject. Best regards, -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: Malicious bugzilla attachment? [Was: [Bug 63695] session_cookie attribute does not work?]
On August 29, 2019 8:52:57 AM UTC, Rainer Jung wrote: >Am 29.08.2019 um 09:55 schrieb Mark Thomas: >> That looks suspicious on multiple levels. >> >> I'll block the user account and delete the attachment. I'm also >tempted >> to resolve the issue as invalid. Any objections? > >Thanks for taking actions. I have replied in the ticket, because I >think >it's a misconfiguration. I would give the user a chance to report back, > >because apart from the broken attachment he provided reasonable info, >so >I think the ticket is not fake. If it turns out to be a >misconfiguration, then of course it is invalid. If we would have >responded sooner as we did now, we would have pointed him to the users >list. But since he actually tried to dig into it, I would find it more >friendly to give him a final chance to check my hint how to fix the >config. Ack. I'll need to unblock the account. Should be done is 5 to 10 mins. Mark >Regards, > >Rainer > >> Mark >> >> >> On 29/08/2019 10:47, Rainer Jung wrote: >>> I don't know whether this attachment is just broken or some kind of >>> attack. We might want to delete it if possible. >>> >>> It has suffix .pptx but neither Ooo, nor LibreOffice or Powerpoint >show >>> correct content. The file starts with a magic header "NASCA DRM FILE >- >>> VER1.00". >>> >>> Regards, >>> >>> Rainer >>> >>> Am 29.08.2019 um 09:23 schrieb bugzi...@apache.org: https://bz.apache.org/bugzilla/show_bug.cgi?id=63695 --- Comment #3 from kimc@gmail.com --- Created attachment 36741 --> >https://bz.apache.org/bugzilla/attachment.cgi?id=36741&action=edit jk_lb_worker.c modification Showing how I modified the source code > >- >To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org >For additional commands, e-mail: dev-h...@tomcat.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: Malicious bugzilla attachment? [Was: [Bug 63695] session_cookie attribute does not work?]
Am 29.08.2019 um 09:55 schrieb Mark Thomas: That looks suspicious on multiple levels. I'll block the user account and delete the attachment. I'm also tempted to resolve the issue as invalid. Any objections? Thanks for taking actions. I have replied in the ticket, because I think it's a misconfiguration. I would give the user a chance to report back, because apart from the broken attachment he provided reasonable info, so I think the ticket is not fake. If it turns out to be a misconfiguration, then of course it is invalid. If we would have responded sooner as we did now, we would have pointed him to the users list. But since he actually tried to dig into it, I would find it more friendly to give him a final chance to check my hint how to fix the config. Regards, Rainer Mark On 29/08/2019 10:47, Rainer Jung wrote: I don't know whether this attachment is just broken or some kind of attack. We might want to delete it if possible. It has suffix .pptx but neither Ooo, nor LibreOffice or Powerpoint show correct content. The file starts with a magic header "NASCA DRM FILE - VER1.00". Regards, Rainer Am 29.08.2019 um 09:23 schrieb bugzi...@apache.org: https://bz.apache.org/bugzilla/show_bug.cgi?id=63695 --- Comment #3 from kimc@gmail.com --- Created attachment 36741 --> https://bz.apache.org/bugzilla/attachment.cgi?id=36741&action=edit jk_lb_worker.c modification Showing how I modified the source code - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 63695] session_cookie attribute does not work?
https://bz.apache.org/bugzilla/show_bug.cgi?id=63695 --- Comment #6 from Rainer Jung --- Note that the docs under http://tomcat.apache.org/connectors-doc/reference/workers.html show that the attribute session_cookie is an LB attribute. You have set it for the two ajp13 workers, but you need to set it for the lb worker named "worker_lb" like: worker.worker_lb.session_cookie=TESTSESSIONID You can remove it from angine1 and engine2. Please report back, if that works for you so we could close this ticket. Regards, Rainer -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 63695] session_cookie attribute does not work?
https://bz.apache.org/bugzilla/show_bug.cgi?id=63695 --- Comment #5 from Mark Thomas --- The content of attachment 36741 has been deleted for the following reason: Suspected malicious attachment - file type not readable as pptx -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: Malicious bugzilla attachment? [Was: [Bug 63695] session_cookie attribute does not work?]
That looks suspicious on multiple levels. I'll block the user account and delete the attachment. I'm also tempted to resolve the issue as invalid. Any objections? Mark On 29/08/2019 10:47, Rainer Jung wrote: > I don't know whether this attachment is just broken or some kind of > attack. We might want to delete it if possible. > > It has suffix .pptx but neither Ooo, nor LibreOffice or Powerpoint show > correct content. The file starts with a magic header "NASCA DRM FILE - > VER1.00". > > Regards, > > Rainer > > Am 29.08.2019 um 09:23 schrieb bugzi...@apache.org: >> https://bz.apache.org/bugzilla/show_bug.cgi?id=63695 >> >> --- Comment #3 from kimc@gmail.com --- >> Created attachment 36741 >> --> https://bz.apache.org/bugzilla/attachment.cgi?id=36741&action=edit >> jk_lb_worker.c modification >> >> Showing how I modified the source code > > - > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 63695] session_cookie attribute does not work?
https://bz.apache.org/bugzilla/show_bug.cgi?id=63695 --- Comment #4 from kimc@gmail.com --- Comment on attachment 36741 --> https://bz.apache.org/bugzilla/attachment.cgi?id=36741 jk_lb_worker.c modification I have tried to debug 1.2.46 version of tomcat connector and finally I found some wrong parts of source codes for session-related configs. - session_cookie - session_path - set_session_cookie - session_cookie_path The code that handles those attributes also missed a loop part for more than 2 workers. I attached a pptx file and you can see what is the problem and how we can handle . And I would like to you to modify the source and release the patch officially. Regards, -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Malicious bugzilla attachment? [Was: [Bug 63695] session_cookie attribute does not work?]
I don't know whether this attachment is just broken or some kind of attack. We might want to delete it if possible. It has suffix .pptx but neither Ooo, nor LibreOffice or Powerpoint show correct content. The file starts with a magic header "NASCA DRM FILE - VER1.00". Regards, Rainer Am 29.08.2019 um 09:23 schrieb bugzi...@apache.org: https://bz.apache.org/bugzilla/show_bug.cgi?id=63695 --- Comment #3 from kimc@gmail.com --- Created attachment 36741 --> https://bz.apache.org/bugzilla/attachment.cgi?id=36741&action=edit jk_lb_worker.c modification Showing how I modified the source code - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 63695] session_cookie attribute does not work?
https://bz.apache.org/bugzilla/show_bug.cgi?id=63695 --- Comment #3 from kimc@gmail.com --- Created attachment 36741 --> https://bz.apache.org/bugzilla/attachment.cgi?id=36741&action=edit jk_lb_worker.c modification Showing how I modified the source code -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 63695] session_cookie attribute does not work?
https://bz.apache.org/bugzilla/show_bug.cgi?id=63695 --- Comment #2 from kimc@gmail.com --- (In reply to Christopher Schultz from comment #1) > Did you change the JSESSIONID cookie name in Tomcat, or just in mod_jk? > Those two configurations must agree with each other. Of course, I did, that's why I had the logs below [Tue Aug 13 16:40:07.270 2019] [6532:18068] [debug] init_ws_service::jk_isapi_plugin.c (3267): Forwarding request header Cookie : TESTSESSIONID=ASfXUomeuKIAUYQKlGfFPk81z4ZCFVW32wVdAmmJqDBLaV7iy7SU8hXlXs3OLSg0.engine1 * my context.xml My point is that once session_cookie is changed from its default, It never look for session id from request headers. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 63695] session_cookie attribute does not work?
https://bz.apache.org/bugzilla/show_bug.cgi?id=63695 Christopher Schultz changed: What|Removed |Added OS||All --- Comment #1 from Christopher Schultz --- Did you change the JSESSIONID cookie name in Tomcat, or just in mod_jk? Those two configurations must agree with each other. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org