DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=28560>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=28560 Wrong session route used when more than one JSESSIONID cookie exists Summary: Wrong session route used when more than one JSESSIONID cookie exists Product: Tomcat 5 Version: Unknown Platform: All URL: http://www.ietf.org/rfc/rfc2965.txt OS/Version: All Status: NEW Severity: Major Priority: Other Component: Native:JK AssignedTo: [EMAIL PROTECTED] ReportedBy: [EMAIL PROTECTED] mod_jk and mod_jk2 both always use the first JSESSIONID cookie for picking the session route and fail if the first one isn't valid. This is a problem in the case where you have a domain running tomcat (example.com) and a subdomain of that domain (foo.example.com) running tomcat with load balancing with mod_jk[2]. What happens is the tomcat at example.com sets a JSESSIONID cookie for the domain example.com. Then when the user accesses foo.example.com the jvmroute from example.com isn't valid, so mod_jk[2] pick a random clone to forward the request to. The foo.example.com tomcat clone then sets a new JSESSIONID for foo.example.com . Now the cookie spec, RFC 2965, says that more than one cookie with the same name is valid. If the browser happens to send the foo.example.com JSESSIONID cookie before the example.com JSESSIONID cookie, things are fine. But if the example.com cookie comes first, then mod_jk[2] fails to see the second JSESSIONID cookie. This is the case with IE5 and IE6, which unfortunatly the most common browsers. Now I thought the cookie spec says the most specific cookie should be sent first, but what it really says in section 3.3.4 is: "[...] they are ordered in the Cookie header such that those with more specific Path attributes precede those with less specific. Ordering with respect to other attributes (e.g., Domain) is unspecified." While I know what needs to be fixed, my C coding skills are much too weak to actually write the patch myself. mod_jk: jk/native/common/jk_lb_worker.c: get_most_suitable_worker needs to accecpt an array of possible session_routes. get_session_route, get_sessionsid, get_cookie need to return an array of matching session ids/cookies. mod_jk2: jk/native2/common/jk_worker_lb.c: jk2_get_most_suitable_worker needs to accept an array of all possible jvmRoutes from jk2_request_getSessionRoute jk/native2/common/jk_requtil.c: jk2_request_getSessionRoute, jk2_requtil_getSessionId, and jk2_requtil_getCookieByName need to return an array of possible cookies/jvmroutes. If you'd like to witness this problem visit the following URLs in order with IE5 or IE6. The last URL will show all headers where you can see the muliptial JSESSIONID headers after you've reloaded it. https://webmail.ufl.edu/ https://test.webmail.ufl.edu/test.jsp If you keep reloading you'll notice two jvmroutes. gatormail_p# is for webmail.ufl.edu and gatormail_t# is for test.webmail.ufl.edu. The value of gatormail_t# will change randomly as mod_jk distributes requests between the clones. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
