tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: tomcat session mixing
Date Mon, 17 Jun 2013 17:47:44 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Joel,

On 6/17/13 12:01 PM, joel wrote:
> Thanks for the info! I'll look into making the upgrade.
> 
> Can you advise how an application bug can cause this when
> restarting tomcat will fix it? That would help me wrap my mind
> around something that isn't imaginable, yet.

If you store a request object in a session, for example. Another one
is having a servlet-scoped variable that gets set in the
doGet/doPost/etc. method.

There are other ways to shoot yourself in the foot, but these are two
of the most obvious (and common).

Other ways to leak information include, but are not limited to:

- - Sloppy ThreadLocal management
- - Retaining a reference a request or response object
- - Retaining a reference to a servlet Input/OutputStream
- - Retaining a reference to a session

Hope that helps,
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJRv0vAAAoJEBzwKT+lPKRY01IQAIDwohve5xSpLBN+IqVCUJDQ
fW8Iyqch5B6h0nNNQh+A5uxAtWDNnCRUb0PTVwuk3mSYiiDXq9XwhW0Z1zQmmV/Y
1J4WyiEJfksjDq4NQa0bH4rUh9wbvHu8beTihz73zN4ydHe/kyOTIiC9K0SBs1Dh
HvsjRrf/+jXkg8SNvTZGxHZ9wCMv2wuRA2SFYy5PJIOgjBEDrVzctxwSidcBlta6
FhQmTV2DJELBjbc9QPl5DXrsnGntb0T9gzvOuxhl4hWVkt2oIO2MUdYkPGV9APIi
rAH4/dJtXzhMs4laMFIsiLBt2eNx8zMJUUfW0wnj1zjfxWqg6chIdidlkqc/M6Bn
A3oC3V5QGLrdeONHmvelOqX+9st3OorrKBvk+JoIVzvxN2zeXQacYJGiOOI484Vc
HdbWdBrcAgk3PVwtOnR8NF+jCP0quDuiS5O9C3UpXjAr/F/azeVswJZImWVTElJO
LmhfRFBq/CaopNJGRRm3MWbbgTeTrPUxCw/S6SbUASHcQAh3eRboq04UvPm+BqWb
HRX65PLzio92rboIMKbPpVTc8sqDKRtoQ0k59vH8zsGQmF6WkpRi2MFoHkhdo2JQ
IrUSSrbYoJP5KF6GmjEqVfPVWXiKc5aWyWBG1O8ffcqZGqghCwK4/r6OEx9jFz6S
mW18XO3jD02az0rTZRGo
=L4yS
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message