Hi Guys, Thanks for your feedback. @André, I am working (not continually on the issue) on the issue, my mail (sent the day I started working on it) was just to have some additional analysis elements. I am happy to see bug has evolved and I followed the same exact path that one of the guys mentions, which is using a Load Test with a bit modified script to detect JSESSIONID mix. But unfortunately I didn't reproduce it. I will be working on it again this friday and will give as much feedback as I can.
Regarding upgrade to last Tomcat version , it is unfortunately not a short term option but it is not excluded, as you know in enterprise world moving UP a version for a big application is not an easy thing. Regarding the $consultant and the time , I can understand as I am also working on my spare time at Apache :-) @Christopher, we are already IN PROD on 1.2.40 of mod_jk and issue is happening. But we don't have yet the optimal (no retry) config in PROD, the first thing we will do is apply it on Load Test Env then prod to see if issue persists. Unfortunately reading further comments on bug, I see even after fixing this, issue persists (but will do it to be sure), and disabling connection reuse does not seem to be a good option on perf side, but it gives a hint that maybe the reused connection is not correctly cleaned up which could explain the "response mix". Regarding content length mentionned in bug , AFAIU this should be controlled by Tomcat (except for certain kind of responses like PDF generation where it is usually set by custom code). Thanks all for your answers. Regards On Thu, Sep 25, 2014 at 2:57 PM, Christopher Schultz < ch...@christopherschultz.net> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Phillipe, > > On 9/7/14 5:49 PM, Philippe Mouawad wrote: > > I am working currently on an issue where an application is facing > > either Response mix or Session mix. For example: 1/ a user A gets > > the basket of customer B when going on basket detail (response > > mix) 2/ Cookies also get mixed up, more of session mix in this > > case > > > > The versions of components are the following: > > > > - Load Balancer => modjk_1.2.40 => Tomcat 5.5.23 (Yes very old) > > Yikes. > > > 1) Does the fix in mod_jk require an upgrade to a particular tomcat > > version ? > > No. mod_jk uses AJP13 protocol which all reasonably recent versions of > Tomcat (including 5.5!) support. Upgrading mod_jk should not be a > problem for you. > > > 2) The issue was related to a security problem, but how response > > mix did occur ? > > You'd have to read a whole lot more about the bug to understand that. > I'll paraphrase a recent statement: "this isn't a Hacking 101 course." > > > 3) The Bug 47714 close as Worksforme is not clear for me. Is it > > possible that non optimal config can lead to this issue, for > > example: > > > > - Not setting recovery_options ? what would be the technical > > explanation ? > > > > Request would be retried but how mix would occur ? > > I'm not sure. If we knew what the issue was, we probably would have > fixed it by now. Note that the resolution was WORKSFORME but it has > recently been re-opened along with some code that allegedly reproduces > the behavior. I haven't tried it myself, though. > > > I am besides this investigating load balancer and application > > issues. > > So you are experiencing response mix-ups as well? If so, please add > anything you can to that bug report. Of course, only after upgrading > to the most recent version of mod_jk. > > - -chris > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1 > Comment: GPGTools - http://gpgtools.org > > iQIcBAEBCAAGBQJUJBE4AAoJEBzwKT+lPKRYLf8P/3lNsLdqxFWUt6htMqGaYFtl > rd3BcJw1ZepuzRFqfWaS8qvB5xV9/ZrbNQjSHk8r98ItvikM7wrbrCt24CX/WpvW > JrS+RnrirL2bmSM8Anvp3/akGnl+pbkUKz3DxqSHqT/T1MMLUU0hn3XwsZ/Sfhqq > Myg7jsODxVbYJWoXVx7IDYWTnd3JCXFCE+QUXX195QUY0iMNc5/eucpu/OtokZ6R > HnSjDZCtq2EKFFk/eXywUzBXpbNG9tmg4aTD0+VOsrnDVhFoWbAyQEe9NI2xTqpb > CiR9umcmAg3LxRUMLOXec3qdS6UQMzv7GXOCJ7JA5mI5EgV5GE/PFq+dbuGfNKNh > +gU17k9uypCtzgcG9e2J7guiYc24ZJ5W5ILtElfBwoyHXoW57iW57GOx0T0PdZge > 7NUCc3naBRjfjnWV77E1QKbeqKYnwQBAZdShTBChJVSQYsgOGPn6IqeILqn7za4d > P4bW+3v2qQPE9AeEYI+vKM3juy+hcsOK6vs8wKPDYhRxo+zc7ArwPfjZ1ry6MoPX > 1o3J0sYMEELrP786uoDILuKFNJ38outxBIiZ7Ce+KLyZBaUiGTqacD5zwevLwAS2 > w4GeJixYxKoQbUP90nBLdZMERM7ZJqFY7+1RWLiWkysMis8p0KiBt15reGATpD22 > Wvmxu6q9eMFaaU5DIKHF > =nPPd > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > -- Cordialement. Philippe Mouawad.