Bug 44116 - Multiple JSESSIONID handling with overlapping domains does not work
Multiple JSESSIONID handling with overlapping domains does not work
Status: RESOLVED FIXED
Product: Tomcat Connectors
Classification: Unclassified
Component: Common
unspecified
All All
: P2 major (vote)
: ---
Assigned To: Tomcat Developers Mailing List
:
Depends on:
Blocks:
  Show dependency tree
 
Reported: 2007-12-21 03:00 UTC by david ramblewski
Modified: 2008-10-05 03:10 UTC (History)
1 user (show)



Attachments
Handle multiple JSESSIONID cookies with tomcat overlaping domains (3.88 KB, patch)
2007-12-21 03:04 UTC, david ramblewski
Details | Diff
Alternative patch (1.98 KB, patch)
2008-01-02 14:04 UTC, Rainer Jung
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description david ramblewski 2007-12-21 03:00:15 UTC
The changelog notes for mod_jk 1.2.6/1.2.7 specify that mod_jk properly handle
multiple JSESSIONID cookies with overlapping domains as described below:

"Check all JSESSIONID cookies for a valid jvmRoute. If you have multiple Tomcats
with overlapping domains, then you can get multiple cookies without a defined
order. This will route correctly as long as the different domains don't have any
Tomcats in common. (billbarker)"

Unfortunately this feature does not work properly because of a bug in the design
 implementation.

In the source file "jk_lb_worker.c", the function "get_cookie" should get every
JSESSIONID cookies contained in the HTTP header but there is a mistake using the
char pointers "id_start/id__end". The result is that we just get the first
JESSSIONID cookie, the other are simply lost in memory.

The bug is reproductible as follow:
    nc website 80
    GET /hello.jsp HTTP/1.0

Then you will get a JSESSIONID Cookie in the HTTP header, for example:
    Set-Cookie: JSESSIONID=297267684ED72B2F3AB38CFDD4402FC5; Path=/

Finally:
    nc website 80
    GET /hello.jsp HTTP/1.0
    Cookie:
JSESSIONID=297267684ED72B2F3AB38CFDD4402FC6;JSESSIONID=297267684ED72B2F3AB38CFDD4402FC5;

You should not get another JSESSIONID (Set-Cookie option directive) and your
request should be forwarded to the correct tomcat worker but it does not work.
Actually, mod_jk get the first JSESSIONID which is voluntary invalid but Tomcat
does not know it and send us another "Set-Cookie" HTTP option header.
Comment 1 david ramblewski 2007-12-21 03:04:24 UTC
Created attachment 21300 [details]
Handle multiple JSESSIONID cookies with tomcat overlaping domains


BugFix for the feature:

"Check all JSESSIONID cookies for a valid jvmRoute. If you have multiple
Tomcats with overlapping domains, then you can get multiple cookies without a
defined order. This will route correctly as long as the different domains don't
have any Tomcats in common. (billbarker)"
Comment 2 david ramblewski 2007-12-21 03:14:19 UTC
The patch has been successfully tested with tomcat-connectors version 1.2.25 but
should work with versions from 1.2.6 to 1.2.25.
The following products are actually used on many production sites:
tomcat-connectors 1.2.25 patched / apache-tomcat 5.5.12, 5.5.15, 5.5.17 and 5.5.25.
Comment 3 Rainer Jung 2007-12-21 03:35:58 UTC
Reopen, so that we will actually consider the patch for inclusion. Will only be
closed/fixed after applied to the code.

Thanks for the patch. Unfortunately it's a couple of days to late for 1.2.26,
which we are going to tag today, but we will have a look at the patch for 1.2.27.
Comment 4 Rainer Jung 2008-01-02 14:04:11 UTC
Created attachment 21338 [details]
Alternative patch
Comment 5 Rainer Jung 2008-01-02 14:06:04 UTC
I made a small variation of your patch, which I attach to this issue.
The basic idea is the same, but it might copy a little less and also uses id_end
to move id_start forward, so we have to do a little less earching. Finally it
terminates at the earlier of ';' and ',' by using strpbrk.

If you have a good test case, could you do some testing of it? Feedback would be
nice.

If all goes well, we'll include this for 1.2.27.
Comment 6 david ramblewski 2008-01-03 02:45:59 UTC
The last patch has been successfully tested with tomcat-connectors version
1.2.25 so there is no feature regression.
I'm going to package the modules for apache 1.3 and apache 2.0 and it will be
tagged STABLE on our production sites in few minutes.
Comment 7 Rainer Jung 2008-01-03 03:23:18 UTC
Thank you for your quick feedback.
The patch has been committed and will be part of 1.2.27.
I'm closing this now, don't hesitate to reopen, if needed.