tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ken Grigg <>
Subject Help: Cross-session parameters leaking?
Date Wed, 03 May 2000 22:18:50 GMT
One of my nightmare scenarios occurred yesterday regarding Tomcat, and I'm
hoping that this is something I've done wrong and not a hole in Tomcat 3.1.
Any help would be greatly appreciated!!

I have a login JSP that does a POST to a validation JSP with two parameters,
userID and password.  The validation JSP first gets the userID using:

    userID = request.getParameter("userID");

and then checks the database for a match. If the userID does not match a
database entry, the JSP does a redirection back to the login JSP using:

    if (!response.isCommitted()) {
       try {
       } catch (IOException e) {

where the url String is
When the login JSP sees eText it displays that and then redisplays the login
box with the userID field filled in.

This process is working great in general for me.

My problem is that I got a report from someone using the page that when they
entered their userID incorrectly, they got the eText but the userID returned
was that of another user! The url captured on the user's browser clearly
shows the other user's userID. This has only happened once, but the load on
the site is VERY light. I'm told there was no IP address or naming conflict
between the two machines, and the other user didn't see anything unusual. I
was unable to capture the logs of this event (we restarted for another
reason before the problem was posted), and we can't duplicate it.

This looks to me like the validation JSP was handed another session's
request, with obviously bad implications if this starts to happen under

My configuration is Apache 1.3.12 with mod_ssl (although ssl wasn't used
here), the release version of Tomcat 3.1, RH Linux 6.1, IBM JDK 1.1.8.

Hope someone can help here!

Thanks...	Ken.

View raw message