tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Fedor Karpelevitch <fe...@simpata.com>
Subject RE: Help: Cross-session parameters leaking?
Date Wed, 03 May 2000 22:43:33 GMT
First thing I would check: isn't 'url' variable static? Would be strange but
could create the problem you had if not syncronized.

WBR, Fedor.
 
Today: Errare humanum est.
 
 


> -----Original Message-----
> From: Ken Grigg [mailto:ken.grigg@amikanow.com]
> Sent: Wednesday, May 03, 2000 3:19 PM
> To: tomcat-user@jakarta.apache.org
> Subject: Help: Cross-session parameters leaking?
> 
> 
> One of my nightmare scenarios occurred yesterday regarding 
> Tomcat, and I'm
> hoping that this is something I've done wrong and not a hole 
> in Tomcat 3.1.
> Any help would be greatly appreciated!!
> 
> I have a login JSP that does a POST to a validation JSP with 
> two parameters,
> userID and password.  The validation JSP first gets the userID using:
> 
>     userID = request.getParameter("userID");
> 
> and then checks the database for a match. If the userID does 
> not match a
> database entry, the JSP does a redirection back to the login 
> JSP using:
> 
>     if (!response.isCommitted()) {
>        try {
>            response.sendRedirect(response.encodeRedirectURL(url));
>        } catch (IOException e) {
>            ...
>        }
> 
> where the url String is
> 'http://www.my.com/myapp/first.jsp?userID=theUserID&eText=some
> ErrorText".
> When the login JSP sees eText it displays that and then 
> redisplays the login
> box with the userID field filled in.
> 
> This process is working great in general for me.
> 
> My problem is that I got a report from someone using the page 
> that when they
> entered their userID incorrectly, they got the eText but the 
> userID returned
> was that of another user! The url captured on the user's 
> browser clearly
> shows the other user's userID. This has only happened once, 
> but the load on
> the site is VERY light. I'm told there was no IP address or 
> naming conflict
> between the two machines, and the other user didn't see 
> anything unusual. I
> was unable to capture the logs of this event (we restarted for another
> reason before the problem was posted), and we can't duplicate it.
> 
> This looks to me like the validation JSP was handed another session's
> request, with obviously bad implications if this starts to 
> happen under
> load.
> 
> My configuration is Apache 1.3.12 with mod_ssl (although ssl 
> wasn't used
> here), the release version of Tomcat 3.1, RH Linux 6.1, IBM JDK 1.1.8.
> 
> Hope someone can help here!
> 
> Thanks...	Ken.
> 
> --------------------------------------------------------------
> ------------
> To unsubscribe, email: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commmands, email: tomcat-user-help@jakarta.apache.org
> 

Mime
View raw message