tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From joel <j...@physics.tamu.edu>
Subject Re: tomcat session mixing
Date Mon, 17 Jun 2013 21:12:18 GMT
 

Hi Chris, 

Thanks for the help. I'm not an expert with tomcat
management, There are no servlets. I don't know what Threadlocal,
doGet/doPost/etc are, so presumably haven't used them. No references are
kept to request,response, session, or stream objects. At login, a user
session token is stored: 

 session.setAttribute("userToken",
userToken);

This token also contains wrapper methods to make server
calls. When tomcat starts mixing sessions, it at least some of the time
incorrectly maps the userToken with the user.

I'll start the process of
upgrading tomcat and hopefully that is all it takes (and hopefully it
doesn't introduce new problems).

Joel

On 2013-06-17 12:47, Christopher
Schultz wrote: 

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>

> Joel,
> 
> On 6/17/13 12:01 PM, joel wrote:
> 
>> Thanks for the
info! I'll look into making the upgrade. Can you advise how an
application bug can cause this when restarting tomcat will fix it? That
would help me wrap my mind around something that isn't imaginable,
yet.
> 
> If you store a request object in a session, for example.
Another one
> is having a servlet-scoped variable that gets set in the
>
doGet/doPost/etc. method.
> 
> There are other ways to shoot yourself in
the foot, but these are two
> of the most obvious (and common).
> 
>
Other ways to leak information include, but are not limited to:
> 
> - -
Sloppy ThreadLocal management
> - - Retaining a reference a request or
response object
> - - Retaining a reference to a servlet
Input/OutputStream
> - - Retaining a reference to a session
> 
> Hope
that helps,
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version:
GnuPG/MacGPG2 v2.0.17 (Darwin)
> Comment: GPGTools -
http://gpgtools.org
> Comment: Using GnuPG with Thunderbird -
http://www.enigmail.net/
> 
>
iQIcBAEBCAAGBQJRv0vAAAoJEBzwKT+lPKRY01IQAIDwohve5xSpLBN+IqVCUJDQ
>
fW8Iyqch5B6h0nNNQh+A5uxAtWDNnCRUb0PTVwuk3mSYiiDXq9XwhW0Z1zQmmV/Y
>
1J4WyiEJfksjDq4NQa0bH4rUh9wbvHu8beTihz73zN4ydHe/kyOTIiC9K0SBs1Dh
>
HvsjRrf/+jXkg8SNvTZGxHZ9wCMv2wuRA2SFYy5PJIOgjBEDrVzctxwSidcBlta6
>
FhQmTV2DJELBjbc9QPl5DXrsnGntb0T9gzvOuxhl4hWVkt2oIO2MUdYkPGV9APIi
>
rAH4/dJtXzhMs4laMFIsiLBt2eNx8zMJUUfW0wnj1zjfxWqg6chIdidlkqc/M6Bn
>
A3oC3V5QGLrdeONHmvelOqX+9st3OorrKBvk+JoIVzvxN2zeXQacYJGiOOI484Vc
>
HdbWdBrcAgk3PVwtOnR8NF+jCP0quDuiS5O9C3UpXjAr/F/azeVswJZImWVTElJO
>
LmhfRFBq/CaopNJGRRm3MWbbgTeTrPUxCw/S6SbUASHcQAh3eRboq04UvPm+BqWb
>
HRX65PLzio92rboIMKbPpVTc8sqDKRtoQ0k59vH8zsGQmF6WkpRi2MFoHkhdo2JQ
>
IrUSSrbYoJP5KF6GmjEqVfPVWXiKc5aWyWBG1O8ffcqZGqghCwK4/r6OEx9jFz6S
>
mW18XO3jD02az0rTZRGo
> =L4yS
> -----END PGP SIGNATURE-----
> 
>
---------------------------------------------------------------------
>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For
additional commands, e-mail: users-help@tomcat.apache.org

 
Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message