Hello,

I am working currently on an issue where an application is facing either
Response mix or Session mix.
For example:
1/ a user A gets the basket of customer B when going on basket detail
(response mix)
2/ Cookies also get mixed up, more of session mix in this case

The versions of components are the following:

   - Load Balancer => modjk_1.2.40 => Tomcat 5.5.23 (Yes very old)


I have made some searches on bug database and found this issue which seems
similar:

   - https://issues.apache.org/bugzilla/show_bug.cgi?id=47714

But the issue is in state WORKSFORME so it is not a bug AFAIU.

Also issue seems to be related to a bug fix that occured in mod_jk 1.2.27 :
"AJP13: [CVE-2008-5519] Always send initial POST packet even if the client
disconnected after sending request but before providing POST data. In that
case or in case the client broke the connection in a middle of read send an
zero size packet informing container about broken client connection.
(mturk) "

What makes me say this is that there is a JBoss solution document that says
this:
https://access.redhat.com/solutions/19239

There is a known bug in mod_jk versions 1.2.26 and below that can cause
session crosstalk

"AJP13: [CVE-2008-5519] Always send initial POST packet even if the client
disconnected after sending request but before providing POST data. In that
case or in case the client broke the connection in a middle of read send an
zero size packet informing container about broken client connection.
(mturk) "

So with version 1.2.40 no issue should remain Afaik.

So I have 3 questions:

1) Does the fix in mod_jk require an upgrade to a particular tomcat version
?

2) The issue was related to a security problem, but how response mix did
occur ?

3) The Bug 47714 close as Worksforme is not clear for me. Is it possible
that non optimal config can lead to this issue, for example:

- Not setting recovery_options ? what would be the technical explanation ?

Request would be retried but how mix would occur ?
I am besides this investigating load balancer and application issues.

Thanks for help
Regards
Philippe M.


-- 
Cordialement.
Philippe Mouawad.

Reply via email to