Hello, Any feedback on this ? Thanks On Sun, Sep 7, 2014 at 11:49 PM, Philippe Mouawad < philippe.moua...@gmail.com> wrote:
> Hello, > > I am working currently on an issue where an application is facing either > Response mix or Session mix. > For example: > 1/ a user A gets the basket of customer B when going on basket detail > (response mix) > 2/ Cookies also get mixed up, more of session mix in this case > > The versions of components are the following: > > - Load Balancer => modjk_1.2.40 => Tomcat 5.5.23 (Yes very old) > > > I have made some searches on bug database and found this issue which seems > similar: > > - https://issues.apache.org/bugzilla/show_bug.cgi?id=47714 > > But the issue is in state WORKSFORME so it is not a bug AFAIU. > > Also issue seems to be related to a bug fix that occured in mod_jk 1.2.27 : > "AJP13: [CVE-2008-5519] Always send initial POST packet even if the client > disconnected after sending request but before providing POST data. In that > case or in case the client broke the connection in a middle of read send an > zero size packet informing container about broken client connection. > (mturk) " > > What makes me say this is that there is a JBoss solution document that > says this: > https://access.redhat.com/solutions/19239 > > There is a known bug in mod_jk versions 1.2.26 and below that can cause > session crosstalk > > "AJP13: [CVE-2008-5519] Always send initial POST packet even if the client > disconnected after sending request but before providing POST data. In that > case or in case the client broke the connection in a middle of read send an > zero size packet informing container about broken client connection. > (mturk) " > > So with version 1.2.40 no issue should remain Afaik. > > So I have 3 questions: > > 1) Does the fix in mod_jk require an upgrade to a particular tomcat > version ? > > 2) The issue was related to a security problem, but how response mix did > occur ? > > 3) The Bug 47714 close as Worksforme is not clear for me. Is it possible > that non optimal config can lead to this issue, for example: > > - Not setting recovery_options ? what would be the technical explanation ? > > Request would be retried but how mix would occur ? > I am besides this investigating load balancer and application issues. > > Thanks for help > Regards > Philippe M. > > > -- > Cordialement. > Philippe Mouawad. > > > > -- Cordialement. Philippe Mouawad.
