I was able to replicate the issue today. Asked few users to keep logging in and
ran jmeter to access login page, with out putting any username or password. Out
of the 100 attempts 2 attempts were
successful in getting in with out username/password. I am seeing database login
entries for these two. Which would happen only if a valid session is not
present and user has provided username/password.
On 03/01/2018 02:27 PM, Prasanth wrote:
> I have an application which uses both struts1 & struts2. The login action was
> recently moved to struts2. Immediately after the deployment we were notified
> that one user is seeing a different user
> information, so we had to move to older war files. I am not able to replicate
> it. But after investigating the logs it seems like couple users were logged
> in as soon as they requested the login page.
> For the database entry to happen it has to verify the username and password
> in the action class, but the fact that there is no POST entry at that time
> from that IP in my access log makes me believe
> that the action class some how already had that information from a prior user.
> I do have a login filter to check if users are logged in when accessing other
> pages. In this filter I have the below two lines, we had to do this as we
> will have requests forwarded from one
> application to another and when that happens we are getting class cast
> exception for ActionMapping class and valueStack. Not sure if the behavior is
> a side effect of having the below lines.
> request.setAttribute("struts.actionMapping", new
> request.setAttribute("struts.valueStack", null);
> We are using Struts 2.3.34 and Wildfly.
> Appreciate any insights you might have.