tomcat session problem
Hello, I am using 2 tomcat(7.0.11) on my server, with clustering and session duplication. All the things are running smoothy except the session problem sometimes: 1. userA login, userB login 2. Sometimes when userB load a page, he found that he has became userA, it means that userB's login session data has been replaced with userA. Don't know why. Is it a bug? Anyone encounter the same problem?? Any advice would be high appreciated! Thanks -- Weffen Cheung E: wef...@gmail.com M: 1380618
Re: tomcat session problem
On Wed, 2012-01-11 at 02:29 -0800, Weffen Cheung wrote: Hello, I am using 2 tomcat(7.0.11) on my server, with clustering and session duplication. All the things are running smoothy except the session problem sometimes: 1. userA login, userB login Are userA and userB on the same TC instance? 2. Sometimes when userB load a page, he found that he has became userA, it means that userB's login session data has been replaced with userA. Don't know why. Is it a bug? In most cases this occurs due to a session, request or response object being retained by a servlet. This is bad and can cause behaviors similar to the one you are reporting. Anyone encounter the same problem?? Any advice would be high appreciated! One other thought, what do you have in front of the two TC instances? Apache HTTPD with mod_proxy? or with mod_jk? Have you confirmed that the correct session id is being sent from the browser to your load balancer and then from the load balancer to your TC instance? Dan
Re: tomcat session problem
Hello, First Thanks for your reply, Dan. 1. Yes, I am using apache2+mod_proxy in front of the two tomcats, here are the configuration in httpd.conf: ProxyPass /images/ ! ProxyPass /css/ ! ProxyPass /js/ ! ProxyPass /photo/ ! ProxyPass /icon/ ! ProxyPass /pg/ ! ProxyPass /job/ ! ProxyPass /maintenance/ ! ProxyRequests Off Proxy balancer://cluster/ BalancerMember ajp://localhost:8009/ route=tomcat loadfactor=1 BalancerMember ajp://localhost:8010/ route=tomcat2 loadfactor=1 /Proxy ProxyPass / balancer://cluster/ stickysession=JSESSIONID nofailover=On ProxyPassReverse / balancer://cluster/ 2. I am not sure that whether the problem occurs on the same tomcat, because I have no any idea to confirm that. Could you give me any tips to find it out? This problem occurs occasionally, and I really don't know whether it is because of the session duplication or tomcat session manager itself. 3. But one thing I am sure is that the two users use different PC to login, which means that cookie is not the reason at all. Any fellows have such a problem? This problem is so bad that it has dried me and my visitors crazy, which is a big security problem! Any advice is high appreciated! Thanks in advance! Weffen 在 2012-1-11,下午9:52, Daniel Mikusa 写道: On Wed, 2012-01-11 at 02:29 -0800, Weffen Cheung wrote: Hello, I am using 2 tomcat(7.0.11) on my server, with clustering and session duplication. All the things are running smoothy except the session problem sometimes: 1. userA login, userB login Are userA and userB on the same TC instance? 2. Sometimes when userB load a page, he found that he has became userA, it means that userB's login session data has been replaced with userA. Don't know why. Is it a bug? In most cases this occurs due to a session, request or response object being retained by a servlet. This is bad and can cause behaviors similar to the one you are reporting. Anyone encounter the same problem?? Any advice would be high appreciated! One other thought, what do you have in front of the two TC instances? Apache HTTPD with mod_proxy? or with mod_jk? Have you confirmed that the correct session id is being sent from the browser to your load balancer and then from the load balancer to your TC instance? Dan -- Weffen Cheung E: wef...@gmail.com M: 1380618
Re: tomcat session problem
On Wed, 2012-01-11 at 10:21 -0800, Weffen Cheung wrote: Hello, First Thanks for your reply, Dan. 1. Yes, I am using apache2+mod_proxy in front of the two tomcats, here are the configuration in httpd.conf: ProxyPass /images/ ! ProxyPass /css/ ! ProxyPass /js/ ! ProxyPass /photo/ ! ProxyPass /icon/ ! ProxyPass /pg/ ! ProxyPass /job/ ! ProxyPass /maintenance/ ! ProxyRequests Off Proxy balancer://cluster/ BalancerMember ajp://localhost:8009/ route=tomcat loadfactor=1 BalancerMember ajp://localhost:8010/ route=tomcat2 loadfactor=1 /Proxy ProxyPass / balancer://cluster/ stickysession=JSESSIONID nofailover=On ProxyPassReverse / balancer://cluster/ 2. I am not sure that whether the problem occurs on the same tomcat, because I have no any idea to confirm that. Could you give me any tips to find it out? It will take a bit of work, but here are two possibility... If you are able to talk with the user when the problem occurs, try to get some information from the user: the time the problem happened, the resource that was accessed or anything else that can be used to identify the request in the logs. Once you have that information, you'll need to look at the access logs to find the user's request and see which machine the request was sent to. Alternatively, if you can get the session id of the problem request, it should have the route appended to the end of it. That would also tell you which machine the request was sent to. This problem occurs occasionally, and I really don't know whether it is because of the session duplication or tomcat session manager itself. As I mentioned before, the most likely cause is due to a session, request or response object being retained by one of your application's servlets. Doing this can cause problems very similar to the one that you are reporting. You should check your application to make sure that you never assign the session, request or response objects to a field on your Servlet objects. This is not thread safe and can cause a problem very similar to you are reporting. Dan 3. But one thing I am sure is that the two users use different PC to login, which means that cookie is not the reason at all. Any fellows have such a problem? This problem is so bad that it has dried me and my visitors crazy, which is a big security problem! Any advice is high appreciated! Thanks in advance! Weffen 在 2012-1-11,下午9:52, Daniel Mikusa 写道: On Wed, 2012-01-11 at 02:29 -0800, Weffen Cheung wrote: Hello, I am using 2 tomcat(7.0.11) on my server, with clustering and session duplication. All the things are running smoothy except the session problem sometimes: 1. userA login, userB login Are userA and userB on the same TC instance? 2. Sometimes when userB load a page, he found that he has became userA, it means that userB's login session data has been replaced with userA. Don't know why. Is it a bug? In most cases this occurs due to a session, request or response object being retained by a servlet. This is bad and can cause behaviors similar to the one you are reporting. Anyone encounter the same problem?? Any advice would be high appreciated! One other thought, what do you have in front of the two TC instances? Apache HTTPD with mod_proxy? or with mod_jk? Have you confirmed that the correct session id is being sent from the browser to your load balancer and then from the load balancer to your TC instance? Dan -- Weffen Cheung E: wef...@gmail.com M: 1380618
Re: tomcat session problem
And have you set jvmRoute parameter in the server.xml file on the tomcats to match the route value you use in the balancer? Maybe read the following section of the mod_proxy_balancer carefully to make sure all the dependencies are meat: http://httpd.apache.org/docs/2.2/mod/mod_proxy_balancer.html#stickyness_implementation Igor On Thu, Jan 12, 2012 at 8:42 AM, Daniel Mikusa dmik...@vmware.com wrote: On Wed, 2012-01-11 at 10:21 -0800, Weffen Cheung wrote: Hello, First Thanks for your reply, Dan. 1. Yes, I am using apache2+mod_proxy in front of the two tomcats, here are the configuration in httpd.conf: ProxyPass /images/ ! ProxyPass /css/ ! ProxyPass /js/ ! ProxyPass /photo/ ! ProxyPass /icon/ ! ProxyPass /pg/ ! ProxyPass /job/ ! ProxyPass /maintenance/ ! ProxyRequests Off Proxy balancer://cluster/ BalancerMember ajp://localhost:8009/ route=tomcat loadfactor=1 BalancerMember ajp://localhost:8010/ route=tomcat2 loadfactor=1 /Proxy ProxyPass / balancer://cluster/ stickysession=JSESSIONID nofailover=On ProxyPassReverse / balancer://cluster/ 2. I am not sure that whether the problem occurs on the same tomcat, because I have no any idea to confirm that. Could you give me any tips to find it out? It will take a bit of work, but here are two possibility... If you are able to talk with the user when the problem occurs, try to get some information from the user: the time the problem happened, the resource that was accessed or anything else that can be used to identify the request in the logs. Once you have that information, you'll need to look at the access logs to find the user's request and see which machine the request was sent to. Alternatively, if you can get the session id of the problem request, it should have the route appended to the end of it. That would also tell you which machine the request was sent to. This problem occurs occasionally, and I really don't know whether it is because of the session duplication or tomcat session manager itself. As I mentioned before, the most likely cause is due to a session, request or response object being retained by one of your application's servlets. Doing this can cause problems very similar to the one that you are reporting. You should check your application to make sure that you never assign the session, request or response objects to a field on your Servlet objects. This is not thread safe and can cause a problem very similar to you are reporting. Dan 3. But one thing I am sure is that the two users use different PC to login, which means that cookie is not the reason at all. Any fellows have such a problem? This problem is so bad that it has dried me and my visitors crazy, which is a big security problem! Any advice is high appreciated! Thanks in advance! Weffen 在 2012-1-11,下午9:52, Daniel Mikusa 写道: On Wed, 2012-01-11 at 02:29 -0800, Weffen Cheung wrote: Hello, I am using 2 tomcat(7.0.11) on my server, with clustering and session duplication. All the things are running smoothy except the session problem sometimes: 1. userA login, userB login Are userA and userB on the same TC instance? 2. Sometimes when userB load a page, he found that he has became userA, it means that userB's login session data has been replaced with userA. Don't know why. Is it a bug? In most cases this occurs due to a session, request or response object being retained by a servlet. This is bad and can cause behaviors similar to the one you are reporting. Anyone encounter the same problem?? Any advice would be high appreciated! One other thought, what do you have in front of the two TC instances? Apache HTTPD with mod_proxy? or with mod_jk? Have you confirmed that the correct session id is being sent from the browser to your load balancer and then from the load balancer to your TC instance? Dan -- Weffen Cheung E: wef...@gmail.com M: 1380618
Re: tomcat session problem
Hi Igor, Thanks for your reply...We are using apache tomact not the http serverHope the below parameter is to be used for apache http server right? Pls correct me, if i am wrong in understanding Thanks Selva On Wed, Jan 11, 2012 at 6:34 PM, Igor Cicimov icici...@gmail.com wrote: And have you set jvmRoute parameter in the server.xml file on the tomcats to match the route value you use in the balancer? Maybe read the following section of the mod_proxy_balancer carefully to make sure all the dependencies are meat: http://httpd.apache.org/docs/2.2/mod/mod_proxy_balancer.html#stickyness_implementation Igor On Thu, Jan 12, 2012 at 8:42 AM, Daniel Mikusa dmik...@vmware.com wrote: On Wed, 2012-01-11 at 10:21 -0800, Weffen Cheung wrote: Hello, First Thanks for your reply, Dan. 1. Yes, I am using apache2+mod_proxy in front of the two tomcats, here are the configuration in httpd.conf: ProxyPass /images/ ! ProxyPass /css/ ! ProxyPass /js/ ! ProxyPass /photo/ ! ProxyPass /icon/ ! ProxyPass /pg/ ! ProxyPass /job/ ! ProxyPass /maintenance/ ! ProxyRequests Off Proxy balancer://cluster/ BalancerMember ajp://localhost:8009/ route=tomcat loadfactor=1 BalancerMember ajp://localhost:8010/ route=tomcat2 loadfactor=1 /Proxy ProxyPass / balancer://cluster/ stickysession=JSESSIONID nofailover=On ProxyPassReverse / balancer://cluster/ 2. I am not sure that whether the problem occurs on the same tomcat, because I have no any idea to confirm that. Could you give me any tips to find it out? It will take a bit of work, but here are two possibility... If you are able to talk with the user when the problem occurs, try to get some information from the user: the time the problem happened, the resource that was accessed or anything else that can be used to identify the request in the logs. Once you have that information, you'll need to look at the access logs to find the user's request and see which machine the request was sent to. Alternatively, if you can get the session id of the problem request, it should have the route appended to the end of it. That would also tell you which machine the request was sent to. This problem occurs occasionally, and I really don't know whether it is because of the session duplication or tomcat session manager itself. As I mentioned before, the most likely cause is due to a session, request or response object being retained by one of your application's servlets. Doing this can cause problems very similar to the one that you are reporting. You should check your application to make sure that you never assign the session, request or response objects to a field on your Servlet objects. This is not thread safe and can cause a problem very similar to you are reporting. Dan 3. But one thing I am sure is that the two users use different PC to login, which means that cookie is not the reason at all. Any fellows have such a problem? This problem is so bad that it has dried me and my visitors crazy, which is a big security problem! Any advice is high appreciated! Thanks in advance! Weffen 在 2012-1-11,下午9:52, Daniel Mikusa 写道: On Wed, 2012-01-11 at 02:29 -0800, Weffen Cheung wrote: Hello, I am using 2 tomcat(7.0.11) on my server, with clustering and session duplication. All the things are running smoothy except the session problem sometimes: 1. userA login, userB login Are userA and userB on the same TC instance? 2. Sometimes when userB load a page, he found that he has became userA, it means that userB's login session data has been replaced with userA. Don't know why. Is it a bug? In most cases this occurs due to a session, request or response object being retained by a servlet. This is bad and can cause behaviors similar to the one you are reporting. Anyone encounter the same problem?? Any advice would be high appreciated! One other thought, what do you have in front of the two TC instances? Apache HTTPD with mod_proxy? or with mod_jk? Have you confirmed that the correct session id is being sent from the browser to your load balancer and then from the load balancer to your TC instance? Dan -- Weffen Cheung E: wef...@gmail.com M: 1380618
Re: tomcat session problem
But you said you are using Apache as front end right? And here you are using mod_proxy_balancer to reverse-proxy right? ProxyPass / balancer://cluster/ stickysession=JSESSIONID nofailover=On ProxyPassReverse / balancer://cluster/ You use sticky sessions on your proxy based on the JSESSIONID right? So the point is the balancer in your Apache frontend proxy should have the parameters synchronized with your backend Tomcat servers otherwise your sessions might end up on a wrong Tomcat server when proxying. Hope this makes sense?! Igor On Thu, Jan 12, 2012 at 12:35 PM, Selvakumar Subramanian sselvakum...@gmail.com wrote: Hi Igor, Thanks for your reply...We are using apache tomact not the http serverHope the below parameter is to be used for apache http server right? Pls correct me, if i am wrong in understanding Thanks Selva On Wed, Jan 11, 2012 at 6:34 PM, Igor Cicimov icici...@gmail.com wrote: And have you set jvmRoute parameter in the server.xml file on the tomcats to match the route value you use in the balancer? Maybe read the following section of the mod_proxy_balancer carefully to make sure all the dependencies are meat: http://httpd.apache.org/docs/2.2/mod/mod_proxy_balancer.html#stickyness_implementation Igor On Thu, Jan 12, 2012 at 8:42 AM, Daniel Mikusa dmik...@vmware.com wrote: On Wed, 2012-01-11 at 10:21 -0800, Weffen Cheung wrote: Hello, First Thanks for your reply, Dan. 1. Yes, I am using apache2+mod_proxy in front of the two tomcats, here are the configuration in httpd.conf: ProxyPass /images/ ! ProxyPass /css/ ! ProxyPass /js/ ! ProxyPass /photo/ ! ProxyPass /icon/ ! ProxyPass /pg/ ! ProxyPass /job/ ! ProxyPass /maintenance/ ! ProxyRequests Off Proxy balancer://cluster/ BalancerMember ajp://localhost:8009/ route=tomcat loadfactor=1 BalancerMember ajp://localhost:8010/ route=tomcat2 loadfactor=1 /Proxy ProxyPass / balancer://cluster/ stickysession=JSESSIONID nofailover=On ProxyPassReverse / balancer://cluster/ 2. I am not sure that whether the problem occurs on the same tomcat, because I have no any idea to confirm that. Could you give me any tips to find it out? It will take a bit of work, but here are two possibility... If you are able to talk with the user when the problem occurs, try to get some information from the user: the time the problem happened, the resource that was accessed or anything else that can be used to identify the request in the logs. Once you have that information, you'll need to look at the access logs to find the user's request and see which machine the request was sent to. Alternatively, if you can get the session id of the problem request, it should have the route appended to the end of it. That would also tell you which machine the request was sent to. This problem occurs occasionally, and I really don't know whether it is because of the session duplication or tomcat session manager itself. As I mentioned before, the most likely cause is due to a session, request or response object being retained by one of your application's servlets. Doing this can cause problems very similar to the one that you are reporting. You should check your application to make sure that you never assign the session, request or response objects to a field on your Servlet objects. This is not thread safe and can cause a problem very similar to you are reporting. Dan 3. But one thing I am sure is that the two users use different PC to login, which means that cookie is not the reason at all. Any fellows have such a problem? This problem is so bad that it has dried me and my visitors crazy, which is a big security problem! Any advice is high appreciated! Thanks in advance! Weffen 在 2012-1-11,下午9:52, Daniel Mikusa 写道: On Wed, 2012-01-11 at 02:29 -0800, Weffen Cheung wrote: Hello, I am using 2 tomcat(7.0.11) on my server, with clustering and session duplication. All the things are running smoothy except the session problem sometimes: 1. userA login, userB login Are userA and userB on the same TC instance? 2. Sometimes when userB load a page, he found that he has became userA, it means that userB's login session data has been replaced with userA. Don't know why. Is it a bug? In most cases this occurs due to a session, request or response object being retained by a servlet. This is bad and can cause behaviors similar to the one you are reporting. Anyone encounter the same problem?? Any advice would be high appreciated!
RE: tomcat session problem
From: Igor Cicimov [mailto:icici...@gmail.com] Subject: Re: tomcat session problem But you said you are using Apache as front end right? Actually, he didn't, but that's because it appears Selvakumar Subramanian didn't even bother to read the subject line, let alone stick to his unrelated thread. He jumped into the middle of a completely different discussion, which does use httpd as a front end, started by Weffen Cheung. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
