Re: Mixed User Session

Fri, 15 Jan 2021 07:58:46 -0800 

Juan,

On 1/15/21 09:57, juan wrote:

We were running tomcat 8.5.57 on CentOS 7 and together with CAS SSO, we
have multiple servers behind an AWS load balancer setup with sticky
sessions. We encountered a weird situation where a user who logged into
their application was presented with another users profile after login. Has
anyone encountered something similar to this? Both users hit the same
tomcat server seconds apart and the user was on his personal computer and
doesn't know the first user.

We have async-supported set to true for both default and jsp servlets and
using the http11.Http11NioProtocol connector with
sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementation"
and <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />.
Unfortunately we could not find any errors in the logs.
Are you using h2 as a protocol between the AWS lb and Tomcat, or are you using HTTP? Or, are you using a network load balancer which just allows bytes to flow back and forth without actually proxying HTTP(2)? 

I'm assuming you have:

HTTP(2) -> ELB/ALB -> HTTP -> Tomcat

I just want to check to see if h2 is actually being used by Tomcat.
If h2 is being used as a proxy protocol, do you know if you are using h2 or h2c (non-encrypted)? 

Just trying to narrow things down.


We encountered something similar in the past when running on tomcat 8.0 and
it was related to low entropy on the environment and tomcat not able to
generate a session for the incoming user and reusing the jsessionid for a
previous user.  We did see errors for this in the logs. This was fixed by
adding service to increase entropy and upgrading to a later version of
tomcat 8.5.
That sounds suspicious to me. If you don't have sufficient entropy, you should get very slow response times, but no re-use of session identifiers. 


Any suggestions or help is much appreciated regarding logging that might
help shed some light on this. We have also patched tomcat to that lastest
release 8.5.61 to see if it helps.
Can you please post your entire <Connector> element from conf/server.xml? Remove any sensitive information that may be present. 

-chris

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to