Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Session mix up - apache httpd with mod_jk, tomcat, spring security - serving data of other user

Tags:

tomcat

apache2

spring-security

mod-jk

Recently we have faced a serious problem, that one user was served data of another user. This problem is almost impossible to reproduce.

We are using standard logged-users-management provided by Spring-security, and we are sure that the problem isn't in storing user in instance variable or similar concurrency stuff in our app.

We really doubt that the problem is in SpringSecurity or Tomcat itself.

Our front-server is apache httpd, connected to tomcat via ajp connector (mod_jk). We are not doing any load balancing (httpd cares just about SSL, some url rewrites and serving some php modules)

Here is our setup:

## OS
OS Name:        Linux 
OS Version:     2.6.32-5-686
Architecture:   i386

## Apache httpd
Server version: Apache/2.2.16 (Debian)
Server built:   Sep  4 2011 20:27:42

## mod_jk
mod_jk/1.2.30 (installed via apt-get)

## JVM
JVM Version:    1.6.0_18-b18
JVM Vendor:     Sun Microsystems Inc.

## Tomcat
Server version: Apache Tomcat/6.0.28
Server built:   February 12 2011 1443

We blame httpd / mod_jk from this session mix up so our only solution would be to remove apache httpd. But before we leave this popular and widely used configuration, we would like to know if anyone has faced the similar problem.

The only similar problems I have found were in load ballancing or mod_jk.

Have you ever faced some similar problem? Any hints, ideas, links or experience will be highly appreciated. Thanks!

like image 288
stue Avatar asked Oct 21 '22 18:10

stue

1 Answers

One of possible problems may be second login attempt. Consider following case:

  • User opens two browser tabs with two login forms.
  • Tab 1: do login as user_1. Load some data into the HTTP session.
  • Tab 2: do login as user_2. Load some data into the HTTP session.

In most browsers it will be the same HTTP session. So actually you will have data from user_1 and user_2 combined in one HTTP session. Any page that uses session objects may be affected.

You have two options here:

  • Prevent this situation. Detect second login attempt and ask user to do logout first. It's easy with Spring Security, see code below.
  • If you absolutely need one account per browser tab then you can store your session data in a map per username.

You can prevent second login attempt thanks to Concurrent Session Control fetaure:

<http>
    ...
    <session-management>
        <concurrency-control max-sessions="1" error-if-maximum-exceeded="true" />
    </session-management>
</http>

Is it already done in your application?

like image 81
Maksym Demidas Avatar answered Oct 27 '22 22:10

Maksym Demidas
Sign in to Comment

Related questions

Can context-param be referenced inside web.xml?
Tomcat 6/7 JNDI with multiple datasources

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!