Hi Chris,
Thanks for the help. I'm not an expert with tomcat
management, There are no servlets. I don't know what Threadlocal,
doGet/doPost/etc are, so presumably haven't used them. No references are
kept to request,response, session, or stream objects. At login, a user
session token is stored:
session.setAttribute("userToken",
userToken);
This token also contains wrapper methods to make server
calls. When tomcat starts mixing sessions, it at least some of the time
incorrectly maps the userToken with the user.
I'll start the process of
upgrading tomcat and hopefully that is all it takes (and hopefully it
doesn't introduce new problems).
Joel
On 2013-06-17 12:47, Christopher
Schultz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Joel,
>
> On 6/17/13 12:01 PM, joel wrote:
>
>> Thanks for the
info! I'll look into making the upgrade. Can you advise how an
application bug can cause this when restarting tomcat will fix it? That
would help me wrap my mind around something that isn't imaginable,
yet.
>
> If you store a request object in a session, for example.
Another one
> is having a servlet-scoped variable that gets set in the
>
doGet/doPost/etc. method.
>
> There are other ways to shoot yourself in
the foot, but these are two
> of the most obvious (and common).
>
>
Other ways to leak information include, but are not limited to:
>
> - -
Sloppy ThreadLocal management
> - - Retaining a reference a request or
response object
> - - Retaining a reference to a servlet
Input/OutputStream
> - - Retaining a reference to a session
>
> Hope
that helps,
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version:
GnuPG/MacGPG2 v2.0.17 (Darwin)
> Comment: GPGTools -
http://gpgtools.org
> Comment: Using GnuPG with Thunderbird -
http://www.enigmail.net/
>
>
iQIcBAEBCAAGBQJRv0vAAAoJEBzwKT+lPKRY01IQAIDwohve5xSpLBN+IqVCUJDQ
>
fW8Iyqch5B6h0nNNQh+A5uxAtWDNnCRUb0PTVwuk3mSYiiDXq9XwhW0Z1zQmmV/Y
>
1J4WyiEJfksjDq4NQa0bH4rUh9wbvHu8beTihz73zN4ydHe/kyOTIiC9K0SBs1Dh
>
HvsjRrf/+jXkg8SNvTZGxHZ9wCMv2wuRA2SFYy5PJIOgjBEDrVzctxwSidcBlta6
>
FhQmTV2DJELBjbc9QPl5DXrsnGntb0T9gzvOuxhl4hWVkt2oIO2MUdYkPGV9APIi
>
rAH4/dJtXzhMs4laMFIsiLBt2eNx8zMJUUfW0wnj1zjfxWqg6chIdidlkqc/M6Bn
>
A3oC3V5QGLrdeONHmvelOqX+9st3OorrKBvk+JoIVzvxN2zeXQacYJGiOOI484Vc
>
HdbWdBrcAgk3PVwtOnR8NF+jCP0quDuiS5O9C3UpXjAr/F/azeVswJZImWVTElJO
>
LmhfRFBq/CaopNJGRRm3MWbbgTeTrPUxCw/S6SbUASHcQAh3eRboq04UvPm+BqWb
>
HRX65PLzio92rboIMKbPpVTc8sqDKRtoQ0k59vH8zsGQmF6WkpRi2MFoHkhdo2JQ
>
IrUSSrbYoJP5KF6GmjEqVfPVWXiKc5aWyWBG1O8ffcqZGqghCwK4/r6OEx9jFz6S
>
mW18XO3jD02az0rTZRGo
> =L4yS
> -----END PGP SIGNATURE-----
>
>
---------------------------------------------------------------------
>
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For
additional commands, e-mail: users-h...@tomcat.apache.org
