ASF Bugzilla – Bug 44116
Multiple JSESSIONID handling with overlapping domains does not work
Last modified: 2008-10-05 03:10:07 UTC
The changelog notes for mod_jk 1.2.6/1.2.7 specify that mod_jk properly handle multiple JSESSIONID cookies with overlapping domains as described below: "Check all JSESSIONID cookies for a valid jvmRoute. If you have multiple Tomcats with overlapping domains, then you can get multiple cookies without a defined order. This will route correctly as long as the different domains don't have any Tomcats in common. (billbarker)" Unfortunately this feature does not work properly because of a bug in the design implementation. In the source file "jk_lb_worker.c", the function "get_cookie" should get every JSESSIONID cookies contained in the HTTP header but there is a mistake using the char pointers "id_start/id__end". The result is that we just get the first JESSSIONID cookie, the other are simply lost in memory. The bug is reproductible as follow: nc website 80 GET /hello.jsp HTTP/1.0 Then you will get a JSESSIONID Cookie in the HTTP header, for example: Set-Cookie: JSESSIONID=297267684ED72B2F3AB38CFDD4402FC5; Path=/ Finally: nc website 80 GET /hello.jsp HTTP/1.0 Cookie: JSESSIONID=297267684ED72B2F3AB38CFDD4402FC6;JSESSIONID=297267684ED72B2F3AB38CFDD4402FC5; You should not get another JSESSIONID (Set-Cookie option directive) and your request should be forwarded to the correct tomcat worker but it does not work. Actually, mod_jk get the first JSESSIONID which is voluntary invalid but Tomcat does not know it and send us another "Set-Cookie" HTTP option header.
Created attachment 21300 [details] Handle multiple JSESSIONID cookies with tomcat overlaping domains BugFix for the feature: "Check all JSESSIONID cookies for a valid jvmRoute. If you have multiple Tomcats with overlapping domains, then you can get multiple cookies without a defined order. This will route correctly as long as the different domains don't have any Tomcats in common. (billbarker)"
The patch has been successfully tested with tomcat-connectors version 1.2.25 but should work with versions from 1.2.6 to 1.2.25. The following products are actually used on many production sites: tomcat-connectors 1.2.25 patched / apache-tomcat 5.5.12, 5.5.15, 5.5.17 and 5.5.25.
Reopen, so that we will actually consider the patch for inclusion. Will only be closed/fixed after applied to the code. Thanks for the patch. Unfortunately it's a couple of days to late for 1.2.26, which we are going to tag today, but we will have a look at the patch for 1.2.27.
Created attachment 21338 [details] Alternative patch
I made a small variation of your patch, which I attach to this issue. The basic idea is the same, but it might copy a little less and also uses id_end to move id_start forward, so we have to do a little less earching. Finally it terminates at the earlier of ';' and ',' by using strpbrk. If you have a good test case, could you do some testing of it? Feedback would be nice. If all goes well, we'll include this for 1.2.27.
The last patch has been successfully tested with tomcat-connectors version 1.2.25 so there is no feature regression. I'm going to package the modules for apache 1.3 and apache 2.0 and it will be tagged STABLE on our production sites in few minutes.
Thank you for your quick feedback. The patch has been committed and will be part of 1.2.27. I'm closing this now, don't hesitate to reopen, if needed.