Hi, We were running tomcat 8.5.57 on CentOS 7 and together with CAS SSO, we have multiple servers behind an AWS load balancer setup with sticky sessions. We encountered a weird situation where a user who logged into their application was presented with another users profile after login. Has anyone encountered something similar to this? Both users hit the same tomcat server seconds apart and the user was on his personal computer and doesn't know the first user.
We have async-supported set to true for both default and jsp servlets and using the http11.Http11NioProtocol connector with sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementation" and <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />. Unfortunately we could not find any errors in the logs. We encountered something similar in the past when running on tomcat 8.0 and it was related to low entropy on the environment and tomcat not able to generate a session for the incoming user and reusing the jsessionid for a previous user. We did see errors for this in the logs. This was fixed by adding service to increase entropy and upgrading to a later version of tomcat 8.5. Any suggestions or help is much appreciated regarding logging that might help shed some light on this. We have also patched tomcat to that lastest release 8.5.61 to see if it helps. Thanks! Juan Q.
