Request Assumes Identity of Another User who Logs in Concurrently Due to Apache CacheIgnoreHeaders

Still need help?

The Atlassian Community is here for you.

Ask the community


The session spontaneously switches to another user. The JSESSIONID cookie of the victim is set for the "perpetrator" (in complete ignorance as well as innocence), leading to the session-stealing behavior.


Apache webserver, which proxies the Tomcat server was configured to cache certain fixed-content files to relieve Tomcat of the traffic. The configuration does not take care to use the CacheIgnoreHeaders directive to tell mod_cache not to cache Set-Cookie headers with the responses. When a combination of unusual circumstances coincided for two users - the cached item, with its Set-Cookie header, was returned to another user.


If these problems are encountered, you can either:

  • try disabling the mod_cache module completely;
  • or invoke the directive CacheIgnoreHeaders Set-Cookie in Apache's mod_proxy configuration.

(info) For more details on how to configure mod_cache see also Configuring Apache to Cache Static Content via mod_disk_cache

If the proxy configuration does not match here, it's possible that the behaviour described in JRA-47583 - Getting issue details... STATUS may be causing the problem. If this is the case please follow the workaround in that bug.

Last modified on Nov 2, 2018

Was this helpful?

Provide feedback about this article
Powered by Confluence and Scroll Viewport.