Re: Sessions mix-up on Tomcat 6.0.26 on Linux
Felix, the issue still persists, i dont know what else to do? and i dont know
why this issue is popping up on linux enviroment only. under windows there is
no
session mixup issue.
Now this are no class wide variables and i had moved them inside the login
function.
From: Felix Schumacher felix.schumac...@internetallee.de
To: Tomcat Users List users@tomcat.apache.org
Sent: Sat, August 21, 2010 6:07:18 PM
Subject: Re: Sessions mix-up on Tomcat 6.0.26 on Linux
Yawar Khan khanya...@yahoo.com schrieb:
thanks felix, very nicely explained!
but do you think that declaring connection and rs variables outside the login
function is causing the sessions mixup issue?
Yes. But I think it is not messing with sessions, but rather messing with the
values of your user beans.
Hth
Felix
From: Felix Schumacher felix.schumac...@internetallee.de
To: Tomcat Users List users@tomcat.apache.org
Sent: Sat, August 21, 2010 4:13:52 PM
Subject: RE: Sessions mix-up on Tomcat 6.0.26 on Linux
Am Freitag, den 20.08.2010, 21:54 -0700 schrieb Yawar Khan:
Chris, you identified a possible sql injection in my code and declaring it a
very bad piece of code. Despite the fact that jdbc does not allow more than
1
query on this execute function and I am doing fields validation before
submission of the form.
Is there another genuine threat or bug that you identified and would like to
share? Please do, I am sharing the udac source code as well,
Wesley you comments are also welcome; somebody also asked that what will
happen
in case udac.login throws an exception, well exception handling is inside
this
class. Sorry but i missed that email so i am unable to name that gentleman
friend.
package org.mcb.services;
import java.text.*;
import java.util.*;
import java.sql.*;
import javax.servlet.http.HttpSession;
public class udac
{
static Connection currentCon = null;
static ResultSet rs = null;
This seems to be really problematic. Having ResultSet and Connection
shared by many users is a bad idea.
Imagine what happens when two requests come in at the same time:
Request A Request B
login(beanA)
|
currentCon=new Connection()
| login(beanB)
| |
| currentCon=new Connection() # BOOM you are
overwriting the class wide variable currentCon.
Same thing can happen to rs too. So better place currentCon and rs as
method variables inside of login.
public static userbean login(userbean bean) {
//preparing some objects for connection
Statement stmt = null;
String userid = bean.getUserId();
String password = bean.getPassword();
String epass = null;
String name = null;
String user_id = null;
String role_id = null;
String branch_code = null;
String last_login = null;
String role_desc = null;
try{
epass = passwordservices.getInstance().encrypt(password);
//passwordservices is a class which has functions to ecrypt a
string and return back the string.
}catch(Exception e){
System.out.println(e);
I find it very useful to use a logging framework for reporting errors.
And adding information about the state in which the error occured might
help finding the root cause more easily.
}
String searchQuery = SELECT a.USER_ID,a.NAME, a.BRANCH_CODE,
a.PASSWORD, a.LAST_LOGIN_DATE, a.ROLE_ID, b.ROLE_DESC FROM LOGIN_INFORMATION
a,
ROLES b WHERE a.ACTIVE = 'A' AND a.ROLE_ID = b.ROLE_ID ;
searchQuery = searchQuery + AND LOWER(a.USER_ID) = LOWER('+
userid
+ ') AND a.PASSWORD = '+epass+';
If your are using prepared Statements with parameters, you don't have to
worry, if someone has forgotten to check those parameters for
sql-injection. But you were told so already.
Bye
Felix
try{
//connect to DB: connectionmanager is a class which contains
connection functions
currentCon = connectionmanager.scgm_conn();
stmt=currentCon.createStatement();
rs = stmt.executeQuery(searchQuery);
boolean hasdata=false;
while(rs.next()) {
hasdata=true;
name = rs.getString(NAME);
user_id = rs.getString(USER_ID);
branch_code = rs.getString(BRANCH_CODE);
role_id = rs.getString(ROLE_ID);
last_login = rs.getString(LAST_LOGIN_DATE);
role_desc = rs.getString(ROLE_DESC);
bean.setName(name);
bean.setUserId(user_id);
bean.setBranch(branch_code
Re: Sessions mix-up on Tomcat 6.0.26 on Linux
wesley, no i am not using sql bindings, what are the security holes?
you havent told me why my sessions are getting mixed up here?
From: Wesley Acheson wesley.ache...@gmail.com
To: Tomcat Users List users@tomcat.apache.org
Sent: Sat, August 21, 2010 3:16:23 PM
Subject: Re: Sessions mix-up on Tomcat 6.0.26 on Linux
On Sat, Aug 21, 2010 at 6:54 AM, Yawar Khan khanya...@yahoo.com wrote:
Chris, you identified a possible sql injection in my code and declaring it
a
very bad piece of code. Despite the fact that jdbc does not allow more than
1
query on this execute function and I am doing fields validation before
submission of the form.
Javascript / ECMAScript and any client side scripting are completely
by-passable and offer no security.
http://www.xs4all.nl/~sbpoley/webmatters/formval.html
So field validation doesn't help you. Also anyone can post to your servlets.
Are you using bindings for your SQL? I see security holes here but don't
have time for a usecase.
Is there another genuine threat or bug that you identified and would like
to
share? Please do, I am sharing the udac source code as well,
Wesley you comments are also welcome; somebody also asked that what will
happen
in case udac.login throws an exception, well exception handling is inside
this
class. Sorry but i missed that email so i am unable to name that gentleman
friend.
package org.mcb.services;
import java.text.*;
import java.util.*;
import java.sql.*;
import javax.servlet.http.HttpSession;
public class udac
{
static Connection currentCon = null;
static ResultSet rs = null;
public static userbean login(userbean bean) {
//preparing some objects for connection
Statement stmt = null;
String userid = bean.getUserId();
String password = bean.getPassword();
String epass = null;
String name = null;
String user_id = null;
String role_id = null;
String branch_code = null;
String last_login = null;
String role_desc = null;
try{
epass = passwordservices.getInstance().encrypt(password);
//passwordservices is a class which has functions to ecrypt a
string and return back the string.
}catch(Exception e){
System.out.println(e);
}
String searchQuery = SELECT a.USER_ID,a.NAME, a.BRANCH_CODE,
a.PASSWORD, a.LAST_LOGIN_DATE, a.ROLE_ID, b.ROLE_DESC FROM
LOGIN_INFORMATION a,
ROLES b WHERE a.ACTIVE = 'A' AND a.ROLE_ID = b.ROLE_ID ;
searchQuery = searchQuery + AND LOWER(a.USER_ID) = LOWER('+
userid
+ ') AND a.PASSWORD = '+epass+';
try{
//connect to DB: connectionmanager is a class which
contains
connection functions
currentCon = connectionmanager.scgm_conn();
stmt=currentCon.createStatement();
rs = stmt.executeQuery(searchQuery);
boolean hasdata=false;
while(rs.next()) {
hasdata=true;
name = rs.getString(NAME);
user_id = rs.getString(USER_ID);
branch_code = rs.getString(BRANCH_CODE);
role_id = rs.getString(ROLE_ID);
last_login = rs.getString(LAST_LOGIN_DATE);
role_desc = rs.getString(ROLE_DESC);
bean.setName(name);
bean.setUserId(user_id);
bean.setBranch(branch_code);
bean.setRole(role_id);
bean.setLastLogin(last_login);
bean.setRoleDesc(role_desc);
bean.setValid(true);
}
if(!hasdata) {
System.out.println(Sorry, you are not a registered
user!
Please sign up first + searchQuery);
bean.setValid(false);
}
}catch (Exception ex){
System.out.println(Log In failed: An Exception has occurred!
+
ex);
}
//some exception handling
finally{
if (rs != null) {
try {
rs.close();
} catch (Exception e) {}
rs = null;
}
if (stmt != null) {
try {
stmt.close();
} catch (Exception e) {}
stmt = null;
}
if (currentCon != null) {
try {
currentCon.close();
} catch (Exception e) {
}
currentCon = null;
}
}
return bean;
}
}
ysk
-Original Message-
From: Christopher Schultz [mailto:ch...@christopherschultz.net]
Sent: Friday, August 20, 2010 3:43 AM
To: Tomcat Users List
Subject
Re: Sessions mix-up on Tomcat 6.0.26 on Linux
thanks felix, very nicely explained!
but do you think that declaring connection and rs variables outside the login
function is causing the sessions mixup issue?
From: Felix Schumacher felix.schumac...@internetallee.de
To: Tomcat Users List users@tomcat.apache.org
Sent: Sat, August 21, 2010 4:13:52 PM
Subject: RE: Sessions mix-up on Tomcat 6.0.26 on Linux
Am Freitag, den 20.08.2010, 21:54 -0700 schrieb Yawar Khan:
Chris, you identified a possible sql injection in my code and declaring it a
very bad piece of code. Despite the fact that jdbc does not allow more than 1
query on this execute function and I am doing fields validation before
submission of the form.
Is there another genuine threat or bug that you identified and would like to
share? Please do, I am sharing the udac source code as well,
Wesley you comments are also welcome; somebody also asked that what will
happen
in case udac.login throws an exception, well exception handling is inside
this
class. Sorry but i missed that email so i am unable to name that gentleman
friend.
package org.mcb.services;
import java.text.*;
import java.util.*;
import java.sql.*;
import javax.servlet.http.HttpSession;
public class udac
{
static Connection currentCon = null;
static ResultSet rs = null;
This seems to be really problematic. Having ResultSet and Connection
shared by many users is a bad idea.
Imagine what happens when two requests come in at the same time:
Request A Request B
login(beanA)
|
currentCon=new Connection()
| login(beanB)
| |
| currentCon=new Connection() # BOOM you are
overwriting the class wide variable currentCon.
Same thing can happen to rs too. So better place currentCon and rs as
method variables inside of login.
public static userbean login(userbean bean) {
//preparing some objects for connection
Statement stmt = null;
String userid = bean.getUserId();
String password = bean.getPassword();
String epass = null;
String name = null;
String user_id = null;
String role_id = null;
String branch_code = null;
String last_login = null;
String role_desc = null;
try{
epass = passwordservices.getInstance().encrypt(password);
//passwordservices is a class which has functions to ecrypt a
string and return back the string.
}catch(Exception e){
System.out.println(e);
I find it very useful to use a logging framework for reporting errors.
And adding information about the state in which the error occured might
help finding the root cause more easily.
}
String searchQuery = SELECT a.USER_ID,a.NAME, a.BRANCH_CODE,
a.PASSWORD, a.LAST_LOGIN_DATE, a.ROLE_ID, b.ROLE_DESC FROM LOGIN_INFORMATION
a,
ROLES b WHERE a.ACTIVE = 'A' AND a.ROLE_ID = b.ROLE_ID ;
searchQuery = searchQuery + AND LOWER(a.USER_ID) = LOWER('+
userid
+ ') AND a.PASSWORD = '+epass+';
If your are using prepared Statements with parameters, you don't have to
worry, if someone has forgotten to check those parameters for
sql-injection. But you were told so already.
Bye
Felix
try{
//connect to DB: connectionmanager is a class which contains
connection functions
currentCon = connectionmanager.scgm_conn();
stmt=currentCon.createStatement();
rs = stmt.executeQuery(searchQuery);
boolean hasdata=false;
while(rs.next()) {
hasdata=true;
name = rs.getString(NAME);
user_id = rs.getString(USER_ID);
branch_code = rs.getString(BRANCH_CODE);
role_id = rs.getString(ROLE_ID);
last_login = rs.getString(LAST_LOGIN_DATE);
role_desc = rs.getString(ROLE_DESC);
bean.setName(name);
bean.setUserId(user_id);
bean.setBranch(branch_code);
bean.setRole(role_id);
bean.setLastLogin(last_login);
bean.setRoleDesc(role_desc);
bean.setValid(true);
}
if(!hasdata) {
System.out.println(Sorry, you are not a registered user!
Please sign up first + searchQuery);
bean.setValid(false);
}
}catch (Exception ex){
System.out.println(Log In failed: An Exception has occurred!
+
ex);
}
//some exception handling
finally{
if (rs != null) {
try
How stable is Tomcat?
Guys, is tomcat stable enough to host large scale production applications getting 1500+ hits everyday? and as much concurrent database connections. I know alot depends on the applications architecture but just how good is tomcat?
Re: How stable is Tomcat?
thank you marco for your insight and sharing your experience. From: Marco Castillo mabcasti...@vdkit.net To: Tomcat Users List users@tomcat.apache.org Sent: Sat, August 21, 2010 7:09:09 PM Subject: Re: How stable is Tomcat? I totally agree with Michel. We developed a JSF 2.0 application using Tomcat as the web container. Tomcat is as stable as the application you develop. The system we develop hosts a RIA application based on ICEFaces for almost 5000 users and after a lot of debugging and jvm fine tunning, we now have an almost rock solid product. Note that the debugging was done over the app, and the jvm fine tunning is a most for this kind of application. Tomcat works fine with just some modifications in the config files. Actually we use the latest tomcat 6 running over linux CentOS. Also we use Tomcat 6 for a landing page for a Telco Operator. The landing page was developed using JSP technology and implements Google SSO. This applications actually serves 2 users, with almost 15000 hits on a daily basis. Again, the main stabilization process was done in the application, not Tomcat, and Tomcat works just fine. Hope this information was helpful. Regards Ing. Marco Antonio Castillo Chief Design Engineer Van Der Kaaden IT Consulting Guatemala, Guatemala C.A. tel: +502 22382710 mobile: +502 59186971 e-mail: mabcasti...@vdkit.net sip: mabcasti...@sip.vdkit.net On Sat, Aug 21, 2010 at 7:07 AM, michel compu...@videotron.ca wrote: I think that maybe you are mixing up stability and scalability. While they are connected, an unstable system can fail at low volume. Also, I don't think that 1500 hits a day is that much. Michel - Original Message - From: Yawar Khan khanya...@yahoo.com To: Tomcat Users users@tomcat.apache.org Sent: Saturday, August 21, 2010 8:59 AM Subject: How stable is Tomcat? Guys, is tomcat stable enough to host large scale production applications getting 1500+ hits everyday? and as much concurrent database connections. I know alot depends on the applications architecture but just how good is tomcat? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: [OT] Sessions mix-up on Tomcat 6.0.26 on Linux
chris, i had a look at container managed authentication and its quite handy. but i couldnt see how i can add extra functionality like calling an encryption function on password text field before tomcat does its authentication on it. for js, my client side authentication is done on form submit button click event, if the hackers do disable javascripts, how will my html form be submitted? however, i will add some server side validation as well, i agree thats important. -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Friday, August 20, 2010 3:41 AM To: Tomcat Users List Subject: Re: [OT] Sessions mix-up on Tomcat 6.0.26 on Linux -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Yawar, On 8/19/2010 3:27 PM, Yawar Saeed Khan/ITG/Karachi wrote: your comments on my current code tells me that this code is not bad, but I should check out tomcat's container managed logins... right? This code seems to be doing more work than necessary. Container-managed authentication and authorization is a useful service provided by the container. I highly recommend taking a look at using it, but it may be ... disruptive to your existing workflows. plus I would like to mention that I have client side form validations (js) to stop query busters. I'm sure that hackers will be sure to leave javascript enabled when they visit your site. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkxtsuYACgkQ9CaO5/Lv0PBOsQCgnldndPM7po8wlgYUq6k/QDT3 1mAAoKo/47GXpG4dIEfRNpkZnX/SSveb =zrJ+ -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Sessions mix-up on Tomcat 6.0.26 on Linux
Hi, i have been trying to post emails on this list but getting
mailerdeamon replies that only subscribers can post. i dont know what happened
thereso i subscribed my other email address
ok now for the topic at hand,
Wesly, udac is a public class which exists in the same package and login is a
static function. I think that much is pretty obvious. I had proper naming
conventions but when i moved my source code to linux, my
entire files names were
changed to lower case, and the application could not find the classes and jsp
files. i didnt know any other way(and didnt have any time for RnD) so i changed
the names of classes and jsp files to lower. any ways, my original topic is
sessions mix up, do you see any relevance of sessions in udac class? sessions
are getting created in loginmanager.
-Original Message-
From: Wesley Acheson [mailto:wesley.ache...@gmail.com]
Sent: Friday, August 20, 2010 2:05 AM
To: Tomcat Users List
Subject: Re: Sessions mix-up on Tomcat 6.0.26 on Linux
Maybe its just be but I still don't see where uadc is declared or even
imported.
On Thu, Aug 19, 2010 at 10:26 PM, Yawar Saeed Khan/ITG/Karachi
yawar.sa...@mcb.com.pk wrote:
yea I did attach a .java file, anyways I am posting the code here;
package org.mcb.services;
import java.io.IOException;
import java.io.PrintWriter;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
/**
*
* @author yawar.saeed
*/
public class loginmanager extends HttpServlet {
protected void processRequest(HttpServletRequest request,
HttpServletResponse response)
throws ServletException, IOException {
response.setContentType(text/html;charset=iso-8859-1);
PrintWriter out = response.getWriter();
try {
userbean user = new userbean();
user.setUserId(request.getParameter(txt_userid));
user.setPassword(request.getParameter(txt_pass));
user = udac.login(user);
if (user.isValid()){
HttpSession session = request.getSession(true);
session.setAttribute(user_id,user.getUserId());
session.setAttribute(user_name,user.getName());
session.setAttribute(role_id,user.getRole());
session.setAttribute(role_desc, user.getRoleDesc());
session.setAttribute(last_login, user.getLastLogin());
//response.sendRedirect(main.jsp); //logged-in page
response.sendRedirect(response.encodeRedirectURL(main.jsp));
}else{
// response.sendRedirect(index.jsp?user=+user.isValid());
//revert back to login page
response.sendRedirect(response.encodeRedirectURL(index.jsp?user=+user.isValid()));
//revert back to login page
}
} finally {
out.close();
}
}
@Override
protected void doGet(HttpServletRequest request, HttpServletResponse
response)
throws ServletException, IOException {
processRequest(request, response);
}
@Override
protected void doPost(HttpServletRequest request, HttpServletResponse
response)
throws ServletException, IOException {
processRequest(request, response);
}
}
From: Wesley Acheson [mailto:wesley.ache...@gmail.com]
Sent: Fri 20-Aug-10 1:56 AM
To: Tomcat Users List
Subject: Re: Sessions mix-up on Tomcat 6.0.26 on Linux
Sorry can't see it. Are you sure you attached it? you could use something
like pastebin if the mail list does accept attachments
On Thu, Aug 19, 2010 at 9:27 PM, Yawar Saeed Khan/ITG/Karachi
yawar.sa...@mcb.com.pk wrote:
source code is attached;
suggestions are welcome.
From: Wesley Acheson [mailto:wesley.ache...@gmail.com]
Sent: Fri 20-Aug-10 12:38 AM
To: Tomcat Users List
Subject: Re: Sessions mix-up on Tomcat 6.0.26 on Linux
Okay I've a little tehory could you post the entire code for
loginmanager.
How is udac declared? If its a class variable then *ITS NOT THREAD
SAFE*.
As a basic rule don't declare class variables in a servlet (There are
exceptions to this rule but you shouldn't under normal circumstances)
RE: Sessions mix-up on Tomcat 6.0.26 on Linux
Chris, you identified a possible sql injection in my code and declaring it a
very bad piece of code. Despite the fact that jdbc does not allow more than 1
query on this execute function and I am doing fields validation before
submission of the form.
Is there another genuine threat or bug that you identified and would like to
share? Please do, I am sharing the udac source code as well,
Wesley you comments are also welcome; somebody also asked that what will happen
in case udac.login throws an exception, well exception handling is inside this
class. Sorry but i missed that email so i am unable to name that gentleman
friend.
package org.mcb.services;
import java.text.*;
import java.util.*;
import java.sql.*;
import javax.servlet.http.HttpSession;
public class udac
{
static Connection currentCon = null;
static ResultSet rs = null;
public static userbean login(userbean bean) {
//preparing some objects for connection
Statement stmt = null;
String userid = bean.getUserId();
String password = bean.getPassword();
String epass = null;
String name = null;
String user_id = null;
String role_id = null;
String branch_code = null;
String last_login = null;
String role_desc = null;
try{
epass = passwordservices.getInstance().encrypt(password);
//passwordservices is a class which has functions to ecrypt a
string and return back the string.
}catch(Exception e){
System.out.println(e);
}
String searchQuery = SELECT a.USER_ID,a.NAME, a.BRANCH_CODE,
a.PASSWORD, a.LAST_LOGIN_DATE, a.ROLE_ID, b.ROLE_DESC FROM LOGIN_INFORMATION a,
ROLES b WHERE a.ACTIVE = 'A' AND a.ROLE_ID = b.ROLE_ID ;
searchQuery = searchQuery + AND LOWER(a.USER_ID) = LOWER('+
userid
+ ') AND a.PASSWORD = '+epass+';
try{
//connect to DB: connectionmanager is a class which contains
connection functions
currentCon = connectionmanager.scgm_conn();
stmt=currentCon.createStatement();
rs = stmt.executeQuery(searchQuery);
boolean hasdata=false;
while(rs.next()) {
hasdata=true;
name = rs.getString(NAME);
user_id = rs.getString(USER_ID);
branch_code = rs.getString(BRANCH_CODE);
role_id = rs.getString(ROLE_ID);
last_login = rs.getString(LAST_LOGIN_DATE);
role_desc = rs.getString(ROLE_DESC);
bean.setName(name);
bean.setUserId(user_id);
bean.setBranch(branch_code);
bean.setRole(role_id);
bean.setLastLogin(last_login);
bean.setRoleDesc(role_desc);
bean.setValid(true);
}
if(!hasdata) {
System.out.println(Sorry, you are not a registered user!
Please sign up first + searchQuery);
bean.setValid(false);
}
}catch (Exception ex){
System.out.println(Log In failed: An Exception has occurred! +
ex);
}
//some exception handling
finally{
if (rs != null) {
try {
rs.close();
} catch (Exception e) {}
rs = null;
}
if (stmt != null) {
try {
stmt.close();
} catch (Exception e) {}
stmt = null;
}
if (currentCon != null) {
try {
currentCon.close();
} catch (Exception e) {
}
currentCon = null;
}
}
return bean;
}
}
ysk
-Original Message-
From: Christopher Schultz [mailto:ch...@christopherschultz.net]
Sent: Friday, August 20, 2010 3:43 AM
To: Tomcat Users List
Subject: Re: Sessions mix-up on Tomcat 6.0.26 on Linux
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Wesley,
On 8/19/2010 5:04 PM, Wesley Acheson wrote:
Maybe its just be but I still don't see where uadc is declared or even
imported.
...or even used.
I'm guessing that the bad code exists outside of this login servlet.
- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkxts1YACgkQ9CaO5/Lv0PBitwCeMXvEXLi1L9rnLmTVP4nofIGH
NkAAnj9DTqFLwLAYxb2MQuI6v6ckVcYm
=DR0I
-END PGP SIGNATURE-
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail:
