tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 44116] New: - Multiple JSESSIONID handling with overlapping domains does not work
Date Fri, 21 Dec 2007 11:00:18 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=44116>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=44116

           Summary: Multiple JSESSIONID handling with overlapping domains
                    does not work
           Product: Tomcat 6
           Version: unspecified
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: major
          Priority: P2
         Component: Native:JK
        AssignedTo: tomcat-dev@jakarta.apache.org
        ReportedBy: david.ramblewski@gmail.com
                CC: david.ramblewski@atosorigin.com


The changelog notes for mod_jk 1.2.6/1.2.7 specify that mod_jk properly handle
multiple JSESSIONID cookies with overlapping domains as described below:

"Check all JSESSIONID cookies for a valid jvmRoute. If you have multiple Tomcats
with overlapping domains, then you can get multiple cookies without a defined
order. This will route correctly as long as the different domains don't have any
Tomcats in common. (billbarker)"

Unfortunately this feature does not work properly because of a bug in the design
 implementation.

In the source file "jk_lb_worker.c", the function "get_cookie" should get every
JSESSIONID cookies contained in the HTTP header but there is a mistake using the
char pointers "id_start/id__end". The result is that we just get the first
JESSSIONID cookie, the other are simply lost in memory.

The bug is reproductible as follow:
    nc website 80
    GET /hello.jsp HTTP/1.0

Then you will get a JSESSIONID Cookie in the HTTP header, for example:
    Set-Cookie: JSESSIONID=297267684ED72B2F3AB38CFDD4402FC5; Path=/

Finally:
    nc website 80
    GET /hello.jsp HTTP/1.0
    Cookie:
JSESSIONID=297267684ED72B2F3AB38CFDD4402FC6;JSESSIONID=297267684ED72B2F3AB38CFDD4402FC5;

You should not get another JSESSIONID (Set-Cookie option directive) and your
request should be forwarded to the correct tomcat worker but it does not work.
Actually, mod_jk get the first JSESSIONID which is voluntary invalid but Tomcat
does not know it and send us another "Set-Cookie" HTTP option header.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message