top button
Flag Notify
    Connect to us
      Site Registration

Site Registration

tomcat session mixing

0 votes
341 views

I'm using Apache Tomcat/6.0.24 running on centos and have several times observed a rare issue in which user sessions are "mixed".
When this occurs, userA clicks on a link and is provided with userB specific content, content that should only be accessible to userB. When this "mixing" occurs, it seems to affect multiple sessions at the same
time, ie userA and userB are not the only ones affected. Restarting tomcat fixed the problem.

Does anyone know what causes this or how to prevent it?

posted Jun 17, 2013 by anonymous

Share this question
Facebook Share Button Twitter Share Button LinkedIn Share Button

1 Answer

+1 vote
 
Best answer

This is caused by an application bug in 99.9% of cases.

There are known issues in 6.0.24 that could cause this. In any case, given the number of security fixes since 6.0.24, an upgrade to 6.0.37 is in order.

answer Jun 17, 2013 by anonymous
Thanks for the info! I'll look into making the upgrade.

Can you advise how an application bug can cause this when restarting tomcat will fix it? That would help me wrap my mind around something that isn't imaginable, yet.
If you store a request object in a session, for example. Another one
is having a servlet-scoped variable that gets set in the
doGet/doPost/etc. method.

There are other ways to shoot yourself in the foot, but these are two
of the most obvious (and common).

Other ways to leak information include, but are not limited to:

- - Sloppy ThreadLocal management
- - Retaining a reference a request or response object
- - Retaining a reference to a servlet Input/OutputStream
- - Retaining a reference to a session

Hope that helps,
Similar Questions
+3 votes

We have currently started using tomcat 7.0 in our development environment. Following are the configuration Details :

Tomcat Version : 7.0.55
Java Version :1.7.0.67

We have a requirement to implement clustering for one of our applications . The same application's active but idle sessions need to be persisted to a JDBC store . We have a small cluster of just two nodes so as recommended we need to use DeltaManager but for session persistence we need to use PersistentManager . PersistentManager is not recommended for clustering as the session data is not swapped out in real time.As far as I understand , we can only use one of the manager configurations .

Can you please let me know if it is possible to achieve session persistence along with clustering , If yes how can we achieve the same ?

+1 vote

I'm trying to figure out how I can create custom session cookies. I've found the Manager interface for creating the sessions, but there's nothing about the actual session cookie. I don't see anything in the Valve interface that will let me do this either. Is this possible in Tomcat 7 (or 8?).

0 votes

Setup:
- Two physical servers each running Tomcat 7.0.42
- Brocade load balancer in front

The load balancer is set to source IP persistence for 5 minutes. This time can be changed of course.

The thing I don't understand is 5 minutes or 5 hours - at then end that time limit the user can be sent to the other server and lose data stored in the session.

So why do sticky sessions matter when session replication turned on in Tomcat? Is a performance issue?

0 votes

I have been searching for an answer to how to set this up. I find a lot of posts on session persistence but none seem to describe how to set it up. Is there a simple explanation out there that tells me how I go about setting up session persistence (with Apache, I would just set up memcached on the db server and configure the memcache module on each Apache instance to point to the memcached and it works). I don't need opcode persistence. I just want the tomcats to either a) direct all session traffic to a single node or b) make the two tomcats aware of all sessions. Can someone point me in the right direction? I am not a java coder, but if code changes need to be made, I can work through it.

0 votes

What is the procedure to disable entirely the session (JSESSIONID) within tomcat 7 ?

...