tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Mikusa <>
Subject Re: tomcat session problem
Date Wed, 11 Jan 2012 21:42:52 GMT
On Wed, 2012-01-11 at 10:21 -0800, Weffen Cheung wrote:
> Hello, 
> First Thanks for your reply, Dan.
> 1. Yes,  I am using apache2+mod_proxy in front of the two tomcats, here are the configuration
in httpd.conf:
> 	ProxyPass /images/ !
>         ProxyPass /css/ !
>         ProxyPass /js/ !
>         ProxyPass /photo/ !
>         ProxyPass /icon/ !
>         ProxyPass /pg/ !
>         ProxyPass /job/ !
>         ProxyPass /maintenance/ !
>         ProxyRequests Off
>         <Proxy balancer://cluster/>
>                 BalancerMember ajp://localhost:8009/ route=tomcat loadfactor=1
>                 BalancerMember ajp://localhost:8010/ route=tomcat2 loadfactor=1
>         </Proxy>
>         ProxyPass / balancer://cluster/ stickysession=JSESSIONID nofailover=On
>         ProxyPassReverse / balancer://cluster/
> 2. I am not sure that whether the problem occurs on the same tomcat, because I have no
any idea to confirm that. Could you give me any tips to find it out?  

It will take a bit of work, but here are two possibility...

If you are able to talk with the user when the problem occurs, try to
get some information from the user:  the time the problem happened, the
resource that was accessed or anything else that can be used to identify
the request in the logs.

Once you have that information, you'll need to look at the access logs
to find the user's request and see which machine the request was sent

Alternatively, if you can get the session id of the problem request, it
should have the route appended to the end of it.  That would also tell
you which machine the request was sent to.

> This problem occurs occasionally, and I really don't know whether it is because of the
session duplication or tomcat session manager itself.

As I mentioned before, the most likely cause is due to a session,
request or response object being retained by one of your application's
servlets.  Doing this can cause problems very similar to the one that
you are reporting.

You should check your application to make sure that you never assign the
session, request or response objects to a field on your Servlet objects.
This is not thread safe and can cause a problem very similar to you are


> 3. But one thing I am sure is that the two users use different PC to login,  which means
that cookie is not the reason at all.
> Any fellows have such a problem? This problem is so bad that it has dried me and my visitors
crazy, which is a big security problem!
> Any advice is high appreciated!
> Thanks in advance!
> Weffen
> 在 2012-1-11,下午9:52, Daniel Mikusa 写道:
> > On Wed, 2012-01-11 at 02:29 -0800, Weffen Cheung wrote:
> >> Hello,
> >> 
> >> I am using 2 tomcat(7.0.11) on my server, with clustering and session duplication.
All the things are running smoothy except the session problem sometimes:
> >> 
> >> 1. userA login, userB login
> > 
> > Are userA and userB on the same TC instance?
> > 
> >> 2. Sometimes when userB load a page, he found that he has became userA, it means
that userB's login session data has been replaced with userA. Don't know why. Is it a bug?

> > 
> > In most cases this occurs due to a session, request or response object
> > being retained by a servlet.  This is bad and can cause behaviors
> > similar to the one you are reporting.
> > 
> >> Anyone encounter  the same problem??
> >> 
> >> Any advice would be high appreciated!
> > 
> > One other thought, what do you have in front of the two TC instances?
> > Apache HTTPD with mod_proxy? or with mod_jk?
> > 
> > Have you confirmed that the correct session id is being sent from the
> > browser to your load balancer and then from the load balancer to your TC
> > instance?
> > 
> > Dan
> --
> Weffen Cheung
> E:
> M: 13802222618
View raw message