Hello, I am working currently on an issue where an application is facing either Response mix or Session mix. For example: 1/ a user A gets the basket of customer B when going on basket detail (response mix) 2/ Cookies also get mixed up, more of session mix in this case
The versions of components are the following: - Load Balancer => modjk_1.2.40 => Tomcat 5.5.23 (Yes very old) I have made some searches on bug database and found this issue which seems similar: - https://issues.apache.org/bugzilla/show_bug.cgi?id=47714 But the issue is in state WORKSFORME so it is not a bug AFAIU. Also issue seems to be related to a bug fix that occured in mod_jk 1.2.27 : "AJP13: [CVE-2008-5519] Always send initial POST packet even if the client disconnected after sending request but before providing POST data. In that case or in case the client broke the connection in a middle of read send an zero size packet informing container about broken client connection. (mturk) " What makes me say this is that there is a JBoss solution document that says this: https://access.redhat.com/solutions/19239 There is a known bug in mod_jk versions 1.2.26 and below that can cause session crosstalk "AJP13: [CVE-2008-5519] Always send initial POST packet even if the client disconnected after sending request but before providing POST data. In that case or in case the client broke the connection in a middle of read send an zero size packet informing container about broken client connection. (mturk) " So with version 1.2.40 no issue should remain Afaik. So I have 3 questions: 1) Does the fix in mod_jk require an upgrade to a particular tomcat version ? 2) The issue was related to a security problem, but how response mix did occur ? 3) The Bug 47714 close as Worksforme is not clear for me. Is it possible that non optimal config can lead to this issue, for example: - Not setting recovery_options ? what would be the technical explanation ? Request would be retried but how mix would occur ? I am besides this investigating load balancer and application issues. Thanks for help Regards Philippe M. -- Cordialement. Philippe Mouawad.
