You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Weffen Cheung <we...@gmail.com> on 2012/01/11 11:29:02 UTC
tomcat session problem
Hello,
I am using 2 tomcat(7.0.11) on my server, with clustering and session duplication. All the things are running smoothy except the session problem sometimes:
1. userA login, userB login
2. Sometimes when userB load a page, he found that he has became userA, it means that userB's login session data has been replaced with userA. Don't know why. Is it a bug?
Anyone encounter the same problem??
Any advice would be high appreciated!
Thanks
--
Weffen Cheung
E: weffen@gmail.com
M: 13802222618
RE: tomcat session problem
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Igor Cicimov [mailto:icicimov@gmail.com]
> Subject: Re: tomcat session problem
> But you said you are using Apache as front end right?
Actually, he didn't, but that's because it appears Selvakumar Subramanian didn't even bother to read the subject line, let alone stick to his unrelated thread. He jumped into the middle of a completely different discussion, which does use httpd as a front end, started by Weffen Cheung.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
Re: tomcat session problem
Posted by Igor Cicimov <ic...@gmail.com>.
But you said you are using Apache as front end right? And here you are
using mod_proxy_balancer to reverse-proxy right?
> ProxyPass / balancer://cluster/ stickysession=JSESSIONID nofailover=On
> ProxyPassReverse / balancer://cluster/
>
You use sticky sessions on your proxy based on the JSESSIONID right? So the
point is the balancer in your Apache frontend proxy should have the
parameters synchronized with your backend Tomcat servers otherwise your
sessions might end up on a wrong Tomcat server when proxying. Hope this
makes sense?!
Igor
On Thu, Jan 12, 2012 at 12:35 PM, Selvakumar Subramanian <
sselvakumars@gmail.com> wrote:
> Hi Igor,
>
> Thanks for your reply...We are using apache tomact not the http
> server....Hope the below parameter is to be used for apache http server
> right? Pls correct me, if i am wrong in understanding
>
> Thanks
> Selva
>
> On Wed, Jan 11, 2012 at 6:34 PM, Igor Cicimov <ic...@gmail.com> wrote:
>
> > And have you set jvmRoute parameter in the server.xml file on the tomcats
> > to match the route value you use in the balancer?
> >
> > Maybe read the following section of the mod_proxy_balancer carefully to
> > make sure all the dependencies are meat:
> >
> >
> >
> http://httpd.apache.org/docs/2.2/mod/mod_proxy_balancer.html#stickyness_implementation
> >
> >
> > Igor
> > On Thu, Jan 12, 2012 at 8:42 AM, Daniel Mikusa <dm...@vmware.com>
> wrote:
> >
> > > On Wed, 2012-01-11 at 10:21 -0800, Weffen Cheung wrote:
> > > > Hello,
> > > >
> > > > First Thanks for your reply, Dan.
> > > >
> > > > 1. Yes, I am using apache2+mod_proxy in front of the two tomcats,
> here
> > > are the configuration in httpd.conf:
> > > >
> > > > ProxyPass /images/ !
> > > > ProxyPass /css/ !
> > > > ProxyPass /js/ !
> > > > ProxyPass /photo/ !
> > > > ProxyPass /icon/ !
> > > > ProxyPass /pg/ !
> > > > ProxyPass /job/ !
> > > > ProxyPass /maintenance/ !
> > > > ProxyRequests Off
> > > >
> > > > <Proxy balancer://cluster/>
> > > > BalancerMember ajp://localhost:8009/ route=tomcat
> > > loadfactor=1
> > > > BalancerMember ajp://localhost:8010/ route=tomcat2
> > > loadfactor=1
> > > > </Proxy>
> > > > ProxyPass / balancer://cluster/ stickysession=JSESSIONID
> > > nofailover=On
> > > > ProxyPassReverse / balancer://cluster/
> > > >
> > > > 2. I am not sure that whether the problem occurs on the same tomcat,
> > > because I have no any idea to confirm that. Could you give me any tips
> to
> > > find it out?
> > >
> > > It will take a bit of work, but here are two possibility...
> > >
> > > If you are able to talk with the user when the problem occurs, try to
> > > get some information from the user: the time the problem happened, the
> > > resource that was accessed or anything else that can be used to
> identify
> > > the request in the logs.
> > >
> > > Once you have that information, you'll need to look at the access logs
> > > to find the user's request and see which machine the request was sent
> > > to.
> > >
> > > Alternatively, if you can get the session id of the problem request, it
> > > should have the route appended to the end of it. That would also tell
> > > you which machine the request was sent to.
> > >
> > > > This problem occurs occasionally, and I really don't know whether it
> is
> > > because of the session duplication or tomcat session manager itself.
> > >
> > > As I mentioned before, the most likely cause is due to a session,
> > > request or response object being retained by one of your application's
> > > servlets. Doing this can cause problems very similar to the one that
> > > you are reporting.
> > >
> > > You should check your application to make sure that you never assign
> the
> > > session, request or response objects to a field on your Servlet
> objects.
> > > This is not thread safe and can cause a problem very similar to you are
> > > reporting.
> > >
> > > Dan
> > >
> > >
> > > >
> > > > 3. But one thing I am sure is that the two users use different PC to
> > > login, which means that cookie is not the reason at all.
> > > >
> > > > Any fellows have such a problem? This problem is so bad that it has
> > > dried me and my visitors crazy, which is a big security problem!
> > > >
> > > > Any advice is high appreciated!
> > > >
> > > > Thanks in advance!
> > > >
> > > >
> > > > Weffen
> > > >
> > > >
> > > > 在 2012-1-11,下午9:52, Daniel Mikusa 写道:
> > > >
> > > > > On Wed, 2012-01-11 at 02:29 -0800, Weffen Cheung wrote:
> > > > >> Hello,
> > > > >>
> > > > >> I am using 2 tomcat(7.0.11) on my server, with clustering and
> > session
> > > duplication. All the things are running smoothy except the session
> > problem
> > > sometimes:
> > > > >>
> > > > >> 1. userA login, userB login
> > > > >
> > > > > Are userA and userB on the same TC instance?
> > > > >
> > > > >> 2. Sometimes when userB load a page, he found that he has became
> > > userA, it means that userB's login session data has been replaced with
> > > userA. Don't know why. Is it a bug?
> > > > >
> > > > > In most cases this occurs due to a session, request or response
> > object
> > > > > being retained by a servlet. This is bad and can cause behaviors
> > > > > similar to the one you are reporting.
> > > > >
> > > > >> Anyone encounter the same problem??
> > > > >>
> > > > >> Any advice would be high appreciated!
> > > > >
> > > > > One other thought, what do you have in front of the two TC
> instances?
> > > > > Apache HTTPD with mod_proxy? or with mod_jk?
> > > > >
> > > > > Have you confirmed that the correct session id is being sent from
> the
> > > > > browser to your load balancer and then from the load balancer to
> your
> > > TC
> > > > > instance?
> > > > >
> > > > > Dan
> > > >
> > > >
> > > > --
> > > > Weffen Cheung
> > > > E: weffen@gmail.com
> > > > M: 13802222618
> > > >
> > > >
> > > >
> > >
> >
>
Re: tomcat session problem
Posted by Selvakumar Subramanian <ss...@gmail.com>.
Hi Igor,
Thanks for your reply...We are using apache tomact not the http
server....Hope the below parameter is to be used for apache http server
right? Pls correct me, if i am wrong in understanding
Thanks
Selva
On Wed, Jan 11, 2012 at 6:34 PM, Igor Cicimov <ic...@gmail.com> wrote:
> And have you set jvmRoute parameter in the server.xml file on the tomcats
> to match the route value you use in the balancer?
>
> Maybe read the following section of the mod_proxy_balancer carefully to
> make sure all the dependencies are meat:
>
>
> http://httpd.apache.org/docs/2.2/mod/mod_proxy_balancer.html#stickyness_implementation
>
>
> Igor
> On Thu, Jan 12, 2012 at 8:42 AM, Daniel Mikusa <dm...@vmware.com> wrote:
>
> > On Wed, 2012-01-11 at 10:21 -0800, Weffen Cheung wrote:
> > > Hello,
> > >
> > > First Thanks for your reply, Dan.
> > >
> > > 1. Yes, I am using apache2+mod_proxy in front of the two tomcats, here
> > are the configuration in httpd.conf:
> > >
> > > ProxyPass /images/ !
> > > ProxyPass /css/ !
> > > ProxyPass /js/ !
> > > ProxyPass /photo/ !
> > > ProxyPass /icon/ !
> > > ProxyPass /pg/ !
> > > ProxyPass /job/ !
> > > ProxyPass /maintenance/ !
> > > ProxyRequests Off
> > >
> > > <Proxy balancer://cluster/>
> > > BalancerMember ajp://localhost:8009/ route=tomcat
> > loadfactor=1
> > > BalancerMember ajp://localhost:8010/ route=tomcat2
> > loadfactor=1
> > > </Proxy>
> > > ProxyPass / balancer://cluster/ stickysession=JSESSIONID
> > nofailover=On
> > > ProxyPassReverse / balancer://cluster/
> > >
> > > 2. I am not sure that whether the problem occurs on the same tomcat,
> > because I have no any idea to confirm that. Could you give me any tips to
> > find it out?
> >
> > It will take a bit of work, but here are two possibility...
> >
> > If you are able to talk with the user when the problem occurs, try to
> > get some information from the user: the time the problem happened, the
> > resource that was accessed or anything else that can be used to identify
> > the request in the logs.
> >
> > Once you have that information, you'll need to look at the access logs
> > to find the user's request and see which machine the request was sent
> > to.
> >
> > Alternatively, if you can get the session id of the problem request, it
> > should have the route appended to the end of it. That would also tell
> > you which machine the request was sent to.
> >
> > > This problem occurs occasionally, and I really don't know whether it is
> > because of the session duplication or tomcat session manager itself.
> >
> > As I mentioned before, the most likely cause is due to a session,
> > request or response object being retained by one of your application's
> > servlets. Doing this can cause problems very similar to the one that
> > you are reporting.
> >
> > You should check your application to make sure that you never assign the
> > session, request or response objects to a field on your Servlet objects.
> > This is not thread safe and can cause a problem very similar to you are
> > reporting.
> >
> > Dan
> >
> >
> > >
> > > 3. But one thing I am sure is that the two users use different PC to
> > login, which means that cookie is not the reason at all.
> > >
> > > Any fellows have such a problem? This problem is so bad that it has
> > dried me and my visitors crazy, which is a big security problem!
> > >
> > > Any advice is high appreciated!
> > >
> > > Thanks in advance!
> > >
> > >
> > > Weffen
> > >
> > >
> > > 在 2012-1-11,下午9:52, Daniel Mikusa 写道:
> > >
> > > > On Wed, 2012-01-11 at 02:29 -0800, Weffen Cheung wrote:
> > > >> Hello,
> > > >>
> > > >> I am using 2 tomcat(7.0.11) on my server, with clustering and
> session
> > duplication. All the things are running smoothy except the session
> problem
> > sometimes:
> > > >>
> > > >> 1. userA login, userB login
> > > >
> > > > Are userA and userB on the same TC instance?
> > > >
> > > >> 2. Sometimes when userB load a page, he found that he has became
> > userA, it means that userB's login session data has been replaced with
> > userA. Don't know why. Is it a bug?
> > > >
> > > > In most cases this occurs due to a session, request or response
> object
> > > > being retained by a servlet. This is bad and can cause behaviors
> > > > similar to the one you are reporting.
> > > >
> > > >> Anyone encounter the same problem??
> > > >>
> > > >> Any advice would be high appreciated!
> > > >
> > > > One other thought, what do you have in front of the two TC instances?
> > > > Apache HTTPD with mod_proxy? or with mod_jk?
> > > >
> > > > Have you confirmed that the correct session id is being sent from the
> > > > browser to your load balancer and then from the load balancer to your
> > TC
> > > > instance?
> > > >
> > > > Dan
> > >
> > >
> > > --
> > > Weffen Cheung
> > > E: weffen@gmail.com
> > > M: 13802222618
> > >
> > >
> > >
> >
>
Re: tomcat session problem
Posted by Igor Cicimov <ic...@gmail.com>.
And have you set jvmRoute parameter in the server.xml file on the tomcats
to match the route value you use in the balancer?
Maybe read the following section of the mod_proxy_balancer carefully to
make sure all the dependencies are meat:
http://httpd.apache.org/docs/2.2/mod/mod_proxy_balancer.html#stickyness_implementation
Igor
On Thu, Jan 12, 2012 at 8:42 AM, Daniel Mikusa <dm...@vmware.com> wrote:
> On Wed, 2012-01-11 at 10:21 -0800, Weffen Cheung wrote:
> > Hello,
> >
> > First Thanks for your reply, Dan.
> >
> > 1. Yes, I am using apache2+mod_proxy in front of the two tomcats, here
> are the configuration in httpd.conf:
> >
> > ProxyPass /images/ !
> > ProxyPass /css/ !
> > ProxyPass /js/ !
> > ProxyPass /photo/ !
> > ProxyPass /icon/ !
> > ProxyPass /pg/ !
> > ProxyPass /job/ !
> > ProxyPass /maintenance/ !
> > ProxyRequests Off
> >
> > <Proxy balancer://cluster/>
> > BalancerMember ajp://localhost:8009/ route=tomcat
> loadfactor=1
> > BalancerMember ajp://localhost:8010/ route=tomcat2
> loadfactor=1
> > </Proxy>
> > ProxyPass / balancer://cluster/ stickysession=JSESSIONID
> nofailover=On
> > ProxyPassReverse / balancer://cluster/
> >
> > 2. I am not sure that whether the problem occurs on the same tomcat,
> because I have no any idea to confirm that. Could you give me any tips to
> find it out?
>
> It will take a bit of work, but here are two possibility...
>
> If you are able to talk with the user when the problem occurs, try to
> get some information from the user: the time the problem happened, the
> resource that was accessed or anything else that can be used to identify
> the request in the logs.
>
> Once you have that information, you'll need to look at the access logs
> to find the user's request and see which machine the request was sent
> to.
>
> Alternatively, if you can get the session id of the problem request, it
> should have the route appended to the end of it. That would also tell
> you which machine the request was sent to.
>
> > This problem occurs occasionally, and I really don't know whether it is
> because of the session duplication or tomcat session manager itself.
>
> As I mentioned before, the most likely cause is due to a session,
> request or response object being retained by one of your application's
> servlets. Doing this can cause problems very similar to the one that
> you are reporting.
>
> You should check your application to make sure that you never assign the
> session, request or response objects to a field on your Servlet objects.
> This is not thread safe and can cause a problem very similar to you are
> reporting.
>
> Dan
>
>
> >
> > 3. But one thing I am sure is that the two users use different PC to
> login, which means that cookie is not the reason at all.
> >
> > Any fellows have such a problem? This problem is so bad that it has
> dried me and my visitors crazy, which is a big security problem!
> >
> > Any advice is high appreciated!
> >
> > Thanks in advance!
> >
> >
> > Weffen
> >
> >
> > 在 2012-1-11,下午9:52, Daniel Mikusa 写道:
> >
> > > On Wed, 2012-01-11 at 02:29 -0800, Weffen Cheung wrote:
> > >> Hello,
> > >>
> > >> I am using 2 tomcat(7.0.11) on my server, with clustering and session
> duplication. All the things are running smoothy except the session problem
> sometimes:
> > >>
> > >> 1. userA login, userB login
> > >
> > > Are userA and userB on the same TC instance?
> > >
> > >> 2. Sometimes when userB load a page, he found that he has became
> userA, it means that userB's login session data has been replaced with
> userA. Don't know why. Is it a bug?
> > >
> > > In most cases this occurs due to a session, request or response object
> > > being retained by a servlet. This is bad and can cause behaviors
> > > similar to the one you are reporting.
> > >
> > >> Anyone encounter the same problem??
> > >>
> > >> Any advice would be high appreciated!
> > >
> > > One other thought, what do you have in front of the two TC instances?
> > > Apache HTTPD with mod_proxy? or with mod_jk?
> > >
> > > Have you confirmed that the correct session id is being sent from the
> > > browser to your load balancer and then from the load balancer to your
> TC
> > > instance?
> > >
> > > Dan
> >
> >
> > --
> > Weffen Cheung
> > E: weffen@gmail.com
> > M: 13802222618
> >
> >
> >
>
Re: tomcat session problem
Posted by Daniel Mikusa <dm...@vmware.com>.
On Wed, 2012-01-11 at 10:21 -0800, Weffen Cheung wrote:
> Hello,
>
> First Thanks for your reply, Dan.
>
> 1. Yes, I am using apache2+mod_proxy in front of the two tomcats, here are the configuration in httpd.conf:
>
> ProxyPass /images/ !
> ProxyPass /css/ !
> ProxyPass /js/ !
> ProxyPass /photo/ !
> ProxyPass /icon/ !
> ProxyPass /pg/ !
> ProxyPass /job/ !
> ProxyPass /maintenance/ !
> ProxyRequests Off
>
> <Proxy balancer://cluster/>
> BalancerMember ajp://localhost:8009/ route=tomcat loadfactor=1
> BalancerMember ajp://localhost:8010/ route=tomcat2 loadfactor=1
> </Proxy>
> ProxyPass / balancer://cluster/ stickysession=JSESSIONID nofailover=On
> ProxyPassReverse / balancer://cluster/
>
> 2. I am not sure that whether the problem occurs on the same tomcat, because I have no any idea to confirm that. Could you give me any tips to find it out?
It will take a bit of work, but here are two possibility...
If you are able to talk with the user when the problem occurs, try to
get some information from the user: the time the problem happened, the
resource that was accessed or anything else that can be used to identify
the request in the logs.
Once you have that information, you'll need to look at the access logs
to find the user's request and see which machine the request was sent
to.
Alternatively, if you can get the session id of the problem request, it
should have the route appended to the end of it. That would also tell
you which machine the request was sent to.
> This problem occurs occasionally, and I really don't know whether it is because of the session duplication or tomcat session manager itself.
As I mentioned before, the most likely cause is due to a session,
request or response object being retained by one of your application's
servlets. Doing this can cause problems very similar to the one that
you are reporting.
You should check your application to make sure that you never assign the
session, request or response objects to a field on your Servlet objects.
This is not thread safe and can cause a problem very similar to you are
reporting.
Dan
>
> 3. But one thing I am sure is that the two users use different PC to login, which means that cookie is not the reason at all.
>
> Any fellows have such a problem? This problem is so bad that it has dried me and my visitors crazy, which is a big security problem!
>
> Any advice is high appreciated!
>
> Thanks in advance!
>
>
> Weffen
>
>
> 在 2012-1-11,下午9:52, Daniel Mikusa 写道:
>
> > On Wed, 2012-01-11 at 02:29 -0800, Weffen Cheung wrote:
> >> Hello,
> >>
> >> I am using 2 tomcat(7.0.11) on my server, with clustering and session duplication. All the things are running smoothy except the session problem sometimes:
> >>
> >> 1. userA login, userB login
> >
> > Are userA and userB on the same TC instance?
> >
> >> 2. Sometimes when userB load a page, he found that he has became userA, it means that userB's login session data has been replaced with userA. Don't know why. Is it a bug?
> >
> > In most cases this occurs due to a session, request or response object
> > being retained by a servlet. This is bad and can cause behaviors
> > similar to the one you are reporting.
> >
> >> Anyone encounter the same problem??
> >>
> >> Any advice would be high appreciated!
> >
> > One other thought, what do you have in front of the two TC instances?
> > Apache HTTPD with mod_proxy? or with mod_jk?
> >
> > Have you confirmed that the correct session id is being sent from the
> > browser to your load balancer and then from the load balancer to your TC
> > instance?
> >
> > Dan
>
>
> --
> Weffen Cheung
> E: weffen@gmail.com
> M: 13802222618
>
>
>
Re: tomcat session problem
Posted by Weffen Cheung <we...@gmail.com>.
Hello,
First Thanks for your reply, Dan.
1. Yes, I am using apache2+mod_proxy in front of the two tomcats, here are the configuration in httpd.conf:
ProxyPass /images/ !
ProxyPass /css/ !
ProxyPass /js/ !
ProxyPass /photo/ !
ProxyPass /icon/ !
ProxyPass /pg/ !
ProxyPass /job/ !
ProxyPass /maintenance/ !
ProxyRequests Off
<Proxy balancer://cluster/>
BalancerMember ajp://localhost:8009/ route=tomcat loadfactor=1
BalancerMember ajp://localhost:8010/ route=tomcat2 loadfactor=1
</Proxy>
ProxyPass / balancer://cluster/ stickysession=JSESSIONID nofailover=On
ProxyPassReverse / balancer://cluster/
2. I am not sure that whether the problem occurs on the same tomcat, because I have no any idea to confirm that. Could you give me any tips to find it out? This problem occurs occasionally, and I really don't know whether it is because of the session duplication or tomcat session manager itself.
3. But one thing I am sure is that the two users use different PC to login, which means that cookie is not the reason at all.
Any fellows have such a problem? This problem is so bad that it has dried me and my visitors crazy, which is a big security problem!
Any advice is high appreciated!
Thanks in advance!
Weffen
在 2012-1-11,下午9:52, Daniel Mikusa 写道:
> On Wed, 2012-01-11 at 02:29 -0800, Weffen Cheung wrote:
>> Hello,
>>
>> I am using 2 tomcat(7.0.11) on my server, with clustering and session duplication. All the things are running smoothy except the session problem sometimes:
>>
>> 1. userA login, userB login
>
> Are userA and userB on the same TC instance?
>
>> 2. Sometimes when userB load a page, he found that he has became userA, it means that userB's login session data has been replaced with userA. Don't know why. Is it a bug?
>
> In most cases this occurs due to a session, request or response object
> being retained by a servlet. This is bad and can cause behaviors
> similar to the one you are reporting.
>
>> Anyone encounter the same problem??
>>
>> Any advice would be high appreciated!
>
> One other thought, what do you have in front of the two TC instances?
> Apache HTTPD with mod_proxy? or with mod_jk?
>
> Have you confirmed that the correct session id is being sent from the
> browser to your load balancer and then from the load balancer to your TC
> instance?
>
> Dan
--
Weffen Cheung
E: weffen@gmail.com
M: 13802222618
Re: tomcat session problem
Posted by Daniel Mikusa <dm...@vmware.com>.
On Wed, 2012-01-11 at 02:29 -0800, Weffen Cheung wrote:
> Hello,
>
> I am using 2 tomcat(7.0.11) on my server, with clustering and session duplication. All the things are running smoothy except the session problem sometimes:
>
> 1. userA login, userB login
Are userA and userB on the same TC instance?
> 2. Sometimes when userB load a page, he found that he has became userA, it means that userB's login session data has been replaced with userA. Don't know why. Is it a bug?
In most cases this occurs due to a session, request or response object
being retained by a servlet. This is bad and can cause behaviors
similar to the one you are reporting.
> Anyone encounter the same problem??
>
> Any advice would be high appreciated!
One other thought, what do you have in front of the two TC instances?
Apache HTTPD with mod_proxy? or with mod_jk?
Have you confirmed that the correct session id is being sent from the
browser to your load balancer and then from the load balancer to your TC
instance?
Dan