Request assumes identity of another user who logs in concurrently due to Apache CacheIgnoreHeaders

Related content

  • No related content found

Still need help?

The Atlassian Community is here for you.

Ask the community

Problem

  • The session spontaneously switches to another user
  • The JSESSIONID cookie of the victim is set for the "perpetrator" leading to unintended session-stealing behavior

Cause

Apache webserver, which proxies the Tomcat server, was configured to cache certain fixed-content files to relieve Tomcat of the traffic. The configuration does not use the CacheIgnoreHeaders directive to tell mod_cache not to cache "Set-Cookie" headers with the responses. In this situation it is possible for the cached item, with its Set-Cookie header, to be returned to another user resulting in the incorrect session being served.

Resolution

If these problems are encountered, you can either:

  • try disabling the mod_cache module completely, or
  • invoke the directive CacheIgnoreHeaders Set-Cookie in Apache's mod_proxy configuration

For more details on how to configure mod_cache, see Configuring Apache to Cache Static Content via mod_disk_cache




Last modified on Nov 2, 2018

Was this helpful?

Yes
No
Provide feedback about this article

Related content

  • No related content found
Powered by Confluence and Scroll Viewport.