Request Assumes Identity of Another User who Logs in Concurrently Due to Apache CacheIgnoreHeaders
Symptoms
The session spontaneously switches to another user. The JSESSIONID cookie of the victim is set for the "perpetrator" (in complete ignorance as well as innocence), leading to the session-stealing behavior.
Cause
Apache webserver, which proxies the Tomcat server was configured to cache certain fixed-content files to relieve Tomcat of the traffic. The configuration does not take care to use the CacheIgnoreHeaders
directive to tell mod_cache not to cache Set-Cookie headers with the responses. When a combination of unusual circumstances coincided for two users - the cached item, with its Set-Cookie header, was returned to another user.
Resolution
If these problems are encountered, you can either:
- try disabling the
module completely;mod_cache
- or invoke the directive
CacheIgnoreHeaders Set-Cookie
in Apache's mod_proxy configuration.
For more details on how to configure
mod_cache
see also Configuring Apache to Cache Static Content via mod_disk_cache
If the proxy configuration does not match here, it's possible that the behaviour described in - JRA-47583Getting issue details... STATUS may be causing the problem. If this is the case please follow the workaround in that bug.