Milt,
I posted earlier (9/12) about a problem that we ran into with Apache/Tomcat having one user login and get another user's data. Look for "Killing Apache Processes Connected to Tomcat via mod_jk (Ajp13)" for a little background. In the logs we found the error where USER1 called a jsp via POST that validated and redirected to a different servlet (GET). The parameters on the GET URL were not for the person that just logged in but USER2 who had logged in earlier and was still on the system performing other requests. To say the least my world was rocked (in a bad way). They are SSL connections through different ISP's so I'm throwing out caching proxies. The USER1 didn't have jsessionid attached to his URL on this POST (we have cookies=false and encodeURL everywhere but it still happened). So now we added a hard coded ;jsessionid= on the first page to ensure it's there. I hadn't put too much thought into session hijacking. Now I am just hope and pray that I don't get another incident. I have asked over and over and have never had anyone respond or appear to have a similar problem. We are on Apache 1.3.26 w/ ajp13 and TC 4.0.4 and had been killing off apache processes that get stuck in a 'W' state. John Moore Milt Epstein wrote: >On Thu, 19 Sep 2002, Jason Koeninger wrote: > >>I've been doing multi-threaded code for a long time, and while I'm >>not going to say there's no way I made a mistake, I am going to say >>that it's unlikely it's a threading issue. In this particular >>application, I do session management in a single servlet, and all I >>do is log the user on and place the user object in the session. >> >>I'll double-check it, but that's how it was originally written. Any >>other thoughts? >> > >I did say "could be" -- it is the most obvious thing that comes to >mind. > >Similarly, it could be something wrong with those versions of Tomcat >and/or mod_jk, but by the same token, if there were some such >obvious/basic problem with it, you'd think it'd be pretty well known. >But you might check the archives of this list to see if others have >reported such problems with them. > >Is that the latest version of the 3.3 branch? If not, you could try >to upgrade. > >In fact, if feasible, you might just upgrade to an entirely new >version, and see if the problem persists. There's a 4.0 branch (up to >4.0.4) and a 4.1 (up to 4.1.11 already or soon). Both those versions >implement the latest servlet/jsp specs (2.3/1.2) (3.2 and 3.3 >implement 2.2/1.1). And the ajp12 protocol (I think that means >version 1.2 of the AJP protocol) has been replaced by ajp13 (likewise, >version 1.3 of the AJP protocol). > > >>On Thu, 19 Sep 2002 14:40:39 -0500 (CDT), Milt Epstein wrote: >> >>>On Thu, 19 Sep 2002, Jason Koeninger wrote: >>> >>>>Has anyone seen sessions move between users running Tomcat 3.3.1? >>>>I'm using Apache 1.3.26 connecting to Tomcat 3.3.1 with mod_jk using >>>>the ajp12 protocol, and it sounds from user reports as if sessions >>>>are moving between users. At first, I thought it had something to >>>>do with proxies caching the pages, but the last report I got rules >>>>out a proxy as the users were on totally independent networks. >>>> >>>This could be a multi-threading issue -- i.e. some of your code may >>>not be thread-safe. >>> >>>Milt Epstein >>>Research Programmer >>>Integration and Software Engineering (ISE) >>>Campus Information Technologies and Educational Services (CITES) >>>University of Illinois at Urbana-Champaign (UIUC) >>>[EMAIL PROTECTED] >>> >> >> >> >>-- >>To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> >>For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> >> > >Milt Epstein >Research Programmer >Integration and Software Engineering (ISE) >Campus Information Technologies and Educational Services (CITES) >University of Illinois at Urbana-Champaign (UIUC) >[EMAIL PROTECTED] > > >-- >To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> >For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> > -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
