Tomcat 3.3.1 - Sessions Migrating Between Users
Has anyone seen sessions move between users running Tomcat 3.3.1? I'm using Apache 1.3.26 connecting to Tomcat 3.3.1 with mod_jk using the ajp12 protocol, and it sounds from user reports as if sessions are moving between users. At first, I thought it had something to do with proxies caching the pages, but the last report I got rules out a proxy as the users were on totally independent networks. Thanks, Jason Koeninger JJ Computer Consulting -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Tomcat 3.3.1 - Sessions Migrating Between Users
On Thu, 19 Sep 2002, Jason Koeninger wrote: Has anyone seen sessions move between users running Tomcat 3.3.1? I'm using Apache 1.3.26 connecting to Tomcat 3.3.1 with mod_jk using the ajp12 protocol, and it sounds from user reports as if sessions are moving between users. At first, I thought it had something to do with proxies caching the pages, but the last report I got rules out a proxy as the users were on totally independent networks. This could be a multi-threading issue -- i.e. some of your code may not be thread-safe. Milt Epstein Research Programmer Integration and Software Engineering (ISE) Campus Information Technologies and Educational Services (CITES) University of Illinois at Urbana-Champaign (UIUC) [EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Tomcat 3.3.1 - Sessions Migrating Between Users
I've been doing multi-threaded code for a long time, and while I'm not going to say there's no way I made a mistake, I am going to say that it's unlikely it's a threading issue. In this particular application, I do session management in a single servlet, and all I do is log the user on and place the user object in the session. I'll double-check it, but that's how it was originally written. Any other thoughts? Thanks, Jason Koeninger JJ Computer Consulting On Thu, 19 Sep 2002 14:40:39 -0500 (CDT), Milt Epstein wrote: On Thu, 19 Sep 2002, Jason Koeninger wrote: Has anyone seen sessions move between users running Tomcat 3.3.1? I'm using Apache 1.3.26 connecting to Tomcat 3.3.1 with mod_jk using the ajp12 protocol, and it sounds from user reports as if sessions are moving between users. At first, I thought it had something to do with proxies caching the pages, but the last report I got rules out a proxy as the users were on totally independent networks. This could be a multi-threading issue -- i.e. some of your code may not be thread-safe. Milt Epstein Research Programmer Integration and Software Engineering (ISE) Campus Information Technologies and Educational Services (CITES) University of Illinois at Urbana-Champaign (UIUC) [EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Tomcat 3.3.1 - Sessions Migrating Between Users
On Thu, 19 Sep 2002, Jason Koeninger wrote: I've been doing multi-threaded code for a long time, and while I'm not going to say there's no way I made a mistake, I am going to say that it's unlikely it's a threading issue. In this particular application, I do session management in a single servlet, and all I do is log the user on and place the user object in the session. I'll double-check it, but that's how it was originally written. Any other thoughts? I did say could be -- it is the most obvious thing that comes to mind. Similarly, it could be something wrong with those versions of Tomcat and/or mod_jk, but by the same token, if there were some such obvious/basic problem with it, you'd think it'd be pretty well known. But you might check the archives of this list to see if others have reported such problems with them. Is that the latest version of the 3.3 branch? If not, you could try to upgrade. In fact, if feasible, you might just upgrade to an entirely new version, and see if the problem persists. There's a 4.0 branch (up to 4.0.4) and a 4.1 (up to 4.1.11 already or soon). Both those versions implement the latest servlet/jsp specs (2.3/1.2) (3.2 and 3.3 implement 2.2/1.1). And the ajp12 protocol (I think that means version 1.2 of the AJP protocol) has been replaced by ajp13 (likewise, version 1.3 of the AJP protocol). On Thu, 19 Sep 2002 14:40:39 -0500 (CDT), Milt Epstein wrote: On Thu, 19 Sep 2002, Jason Koeninger wrote: Has anyone seen sessions move between users running Tomcat 3.3.1? I'm using Apache 1.3.26 connecting to Tomcat 3.3.1 with mod_jk using the ajp12 protocol, and it sounds from user reports as if sessions are moving between users. At first, I thought it had something to do with proxies caching the pages, but the last report I got rules out a proxy as the users were on totally independent networks. This could be a multi-threading issue -- i.e. some of your code may not be thread-safe. Milt Epstein Research Programmer Integration and Software Engineering (ISE) Campus Information Technologies and Educational Services (CITES) University of Illinois at Urbana-Champaign (UIUC) [EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] Milt Epstein Research Programmer Integration and Software Engineering (ISE) Campus Information Technologies and Educational Services (CITES) University of Illinois at Urbana-Champaign (UIUC) [EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Tomcat 3.3.1 - Sessions Migrating Between Users
On Thu, 19 Sep 2002 15:02:59 -0500 (CDT), Milt Epstein wrote: On Thu, 19 Sep 2002, Jason Koeninger wrote: I did say could be -- it is the most obvious thing that comes to mind. It would be nice if it was just a bone-headed threading issue, but I'm afraid I'm not seeing one. I was hoping I had accidentally made a class variable in the servlet, but I didn't find one. Is that the latest version of the 3.3 branch? If not, you could try to upgrade. Doubtful. Previous upgrades caused some painful problems. You'll find my ajp13 issues on Tomcat 3.3.1 in the archives. In fact, if feasible, you might just upgrade to an entirely new version, and see if the problem persists. There's a 4.0 branch (up to 4.0.4) and a 4.1 (up to 4.1.11 already or soon). Both those versions implement the latest servlet/jsp specs (2.3/1.2) (3.2 and 3.3 implement 2.2/1.1). And the ajp12 protocol (I think that means version 1.2 of the AJP protocol) has been replaced by ajp13 (likewise, version 1.3 of the AJP protocol). Actually, I went running back to ajp12 after my last experience with ajp13. This is, in fact, a similar problem to my last ajp13 experience in which you could get results from old requests. Odd problem and difficult to describe, and it made you think you were insane when you hit reload and all was better. I think I'll try bypassing Apache and going straight to Tomcat for now. If that doesn't work, it looks like we'll try the 4.x branch finally. Thanks for the help. Best Regards, Jason On Thu, 19 Sep 2002 14:40:39 -0500 (CDT), Milt Epstein wrote: On Thu, 19 Sep 2002, Jason Koeninger wrote: Has anyone seen sessions move between users running Tomcat 3.3.1? I'm using Apache 1.3.26 connecting to Tomcat 3.3.1 with mod_jk using the ajp12 protocol, and it sounds from user reports as if sessions are moving between users. At first, I thought it had something to do with proxies caching the pages, but the last report I got rules out a proxy as the users were on totally independent networks. This could be a multi-threading issue -- i.e. some of your code may not be thread-safe. Milt Epstein Research Programmer Integration and Software Engineering (ISE) Campus Information Technologies and Educational Services (CITES) University of Illinois at Urbana-Champaign (UIUC) [EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] Milt Epstein Research Programmer Integration and Software Engineering (ISE) Campus Information Technologies and Educational Services (CITES) University of Illinois at Urbana-Champaign (UIUC) [EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Tomcat 3.3.1 - Sessions Migrating Between Users
Milt, I posted earlier (9/12) about a problem that we ran into with Apache/Tomcat having one user login and get another user's data. Look for Killing Apache Processes Connected to Tomcat via mod_jk (Ajp13) for a little background. In the logs we found the error where USER1 called a jsp via POST that validated and redirected to a different servlet (GET). The parameters on the GET URL were not for the person that just logged in but USER2 who had logged in earlier and was still on the system performing other requests.To say the least my world was rocked (in a bad way). They are SSL connections through different ISP's so I'm throwing out caching proxies. The USER1 didn't have jsessionid attached to his URL on this POST (we have cookies=false and encodeURL everywhere but it still happened). So now we added a hard coded ;jsessionid= on the first page to ensure it's there. I hadn't put too much thought into session hijacking.Now I am just hope and pray that I don't get another incident. I have asked over and over and have never had anyone respond or appear to have a similar problem. We are on Apache 1.3.26 w/ ajp13 and TC 4.0.4 and had been killing off apache processes that get stuck in a 'W' state. John Moore Milt Epstein wrote: On Thu, 19 Sep 2002, Jason Koeninger wrote: I've been doing multi-threaded code for a long time, and while I'm not going to say there's no way I made a mistake, I am going to say that it's unlikely it's a threading issue. In this particular application, I do session management in a single servlet, and all I do is log the user on and place the user object in the session. I'll double-check it, but that's how it was originally written. Any other thoughts? I did say could be -- it is the most obvious thing that comes to mind. Similarly, it could be something wrong with those versions of Tomcat and/or mod_jk, but by the same token, if there were some such obvious/basic problem with it, you'd think it'd be pretty well known. But you might check the archives of this list to see if others have reported such problems with them. Is that the latest version of the 3.3 branch? If not, you could try to upgrade. In fact, if feasible, you might just upgrade to an entirely new version, and see if the problem persists. There's a 4.0 branch (up to 4.0.4) and a 4.1 (up to 4.1.11 already or soon). Both those versions implement the latest servlet/jsp specs (2.3/1.2) (3.2 and 3.3 implement 2.2/1.1). And the ajp12 protocol (I think that means version 1.2 of the AJP protocol) has been replaced by ajp13 (likewise, version 1.3 of the AJP protocol). On Thu, 19 Sep 2002 14:40:39 -0500 (CDT), Milt Epstein wrote: On Thu, 19 Sep 2002, Jason Koeninger wrote: Has anyone seen sessions move between users running Tomcat 3.3.1? I'm using Apache 1.3.26 connecting to Tomcat 3.3.1 with mod_jk using the ajp12 protocol, and it sounds from user reports as if sessions are moving between users. At first, I thought it had something to do with proxies caching the pages, but the last report I got rules out a proxy as the users were on totally independent networks. This could be a multi-threading issue -- i.e. some of your code may not be thread-safe. Milt Epstein Research Programmer Integration and Software Engineering (ISE) Campus Information Technologies and Educational Services (CITES) University of Illinois at Urbana-Champaign (UIUC) [EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] Milt Epstein Research Programmer Integration and Software Engineering (ISE) Campus Information Technologies and Educational Services (CITES) University of Illinois at Urbana-Champaign (UIUC) [EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]