HTTP request and responses mixed up

["Colpaert, Robert" <ro...@logica.com>]

Hi all,

 

We are currently experiencing an issue on our system where user A gets
the HTTP response intended for user B. In fact, user A and user B are
two completely different users that are logged on to our system. User A
and User B both a send a different request and then BOTH users get the
same response. This problem occurs sporadically and so far we have not
been to reproduce it.

 

Our setup is as follows:

We have a server that runs apache and acts as a reverse proxy to the
second apache on another server. Both these servers run Apache 2.2.9.
The apache on the second server includes the mod_jk module and this
server also runs a tomcat which routes the requests to our backend java
application.

 

Detail specification of the problem scenario:

In the web GUI, user A requests a list of customers and user B requests
a list of the current orders (these requests are be handled in different
servlets). User A receives the correct list of its customers, however
User B gets the same HTTP response!

 

We traced both requests through the entire chain of
apache/apache/tomcat/backend etc. and we see both requests (User A and
User B) in the logging of our first and second apache. These requests
are for completely different servlets, this rules out any coding
problems inside the servlet. The reason why we can correlate the HTTP
response of User A with the HTTP response User B receives, is the size
of the HTTP response in the apache logging.

 

We have looked through the change log of tomcat/apache and we have
searched many forums to see if others have encountered this issue.
Unfortunately, we have found very little information. It is also very
difficult to reproduce this situation, since it occurs randomly and we
have only seen it happen 3 times in about 2 months time.

 

System specification:

OS: Solaris 10

Apache: 2.2.9

Tomcat: 6.0.16.0

Tomcat_jvm: 1.6.0_07-b06

mod_jk: 1.2.26

java: 1.6.07

The versions of apache/tomcat etc. have not been updated for quite some
time (more than a year at least).

 

If anyone could shed some light on this issue or has experienced it
themselves: any information would be greatly appreciated.

 

Regards,

 

Robert Colpaert 



Please help Logica to respect the environment by not printing this email  / Pour contribuer comme Logica au respect de l'environnement, merci de ne pas imprimer ce mail /  Bitte drucken Sie diese Nachricht nicht aus und helfen Sie so Logica dabei, die Umwelt zu sch�tzen. /  Por favor ajude a Logica a respeitar o ambiente nao imprimindo este correio electronico.



This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.

Re: HTTP request and responses mixed up

[Christopher Schultz <ch...@christopherschultz.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Robert,

On 11/9/2010 8:45 AM, Colpaert, Robert wrote:
> In the web GUI, user A requests a list of customers and user B requests
> a list of the current orders (these requests are be handled in different
> servlets). User A receives the correct list of its customers, however
> User B gets the same HTTP response!

Have you received reports directly from your users, then?

> We traced both requests through the entire chain of
> apache/apache/tomcat/backend etc. and we see both requests (User A and
> User B) in the logging of our first and second apache. These requests
> are for completely different servlets, this rules out any coding
> problems inside the servlet. The reason why we can correlate the HTTP
> response of User A with the HTTP response User B receives, is the size
> of the HTTP response in the apache logging.

Responses of the same size would seem to be circumstantial at best. You
could install a component that takes a cryptographic fingerprint of each
response (say, md5sum) and logs it for comparison. You probably want to
do this at the outer-most layer of your configuration to verify that
it's actually happening, then move that fingerprinting back toward the
webapp until you pinpoint it's location.

As Chuck says, it usually turns out to be the webapp's fault.

If you're truly paranoid, you can enable org.apache.catalina.connector.
RECYCLE_FACADES to see if that eliminates the problem
(http://tomcat.apache.org/tomcat-6.0-doc/config/systemprops.html). I'm
not sure when that configuration property was added, but it looks like
the Changelog references "facade recycling" around 6.0.13, so you should
be okay.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkzZ04wACgkQ9CaO5/Lv0PAeuwCgprxAgmvH2VttWrP79nqT+6Eo
dfwAnAnegJ3EbkHLsKTjwcIcIN5hsxKg
=zm+X
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: HTTP request and responses mixed up

[Jeffrey Janner <Je...@PolyDyne.com>]

> -----Original Message-----
> From: Caldarale, Charles R [mailto:Chuck.Caldarale@unisys.com]
> Sent: Tuesday, November 09, 2010 8:06 AM
> To: Tomcat Users List
> Subject: RE: HTTP request and responses mixed up
> 
> > From: Colpaert, Robert [mailto:robert.colpaert@logica.com]
> > Subject: HTTP request and responses mixed up
> 
> > We are currently experiencing an issue on our system where
> > user A gets the HTTP response intended for user B.
> .....
>  Your Tomcat is over
> 2.5 years old, mod_jk is nearly 3 years old, httpd is over 2 years
old,
> and the Oracle site is so messed up that I can't find the age of the
> JVM - but it's old.
> 
>  - Chuck

I happen to have that exact JDK version loaded on my system right now
(haven't used it for anything in a while, so I haven't upgraded).  The
files are dated 6/10/2008.  And yes, there are bugs in it that will give
you headaches.  You should upgrade to the most recent version.
Jeff
__________________________________________________________________________

Confidentiality Notice:  This Transmission (including any attachments) may contain information that is privileged, confidential, and exempt from disclosure under applicable law.  If the reader of this message is not the intended recipient you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited.  

If you have received this transmission in error, please immediately reply to the sender or telephone (512) 343-9100 and delete this transmission from your system.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: HTTP request and responses mixed up

["Caldarale, Charles R" <Ch...@unisys.com>]

> From: Colpaert, Robert [mailto:robert.colpaert@logica.com] 
> Subject: HTTP request and responses mixed up

> We are currently experiencing an issue on our system where 
> user A gets the HTTP response intended for user B.

In every instance reported of this happening, it has almost always been a programming error in the webapp(s), often storing the request reference in a static variable that shouldn't be (or an instance variable of some singleton).  Look for anything in common across the two requests, such as filters, libraries, loggers, beans, etc.

Regardless, it wouldn't hurt to upgrade to insure there's not some latent bug in one of the packages you're using.  Your Tomcat is over 2.5 years old, mod_jk is nearly 3 years old, httpd is over 2 years old, and the Oracle site is so messed up that I can't find the age of the JVM - but it's old.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org