Request Assumes Identity of Another User who Logs in Concurrently Due to Apache CacheIgnoreHeaders
The session spontaneously switches to another user. The JSESSIONID cookie of the victim is set for the "perpetrator" (in complete ignorance as well as innocence), leading to the session-stealing behavior.
Apache webserver, which proxies the Tomcat server was configured to cache certain fixed-content files to relieve Tomcat of the traffic. The configuration does not take care to use the
CacheIgnoreHeaders directive to tell mod_cache not to cache Set-Cookie headers with the responses. When a combination of unusual circumstances coincided for two users - the cached item, with its Set-Cookie header, was returned to another user.
If these problems are encountered, you can either:
- try disabling the
- or invoke the directive
CacheIgnoreHeaders Set-Cookiein Apache's mod_proxy configuration.
For more details on how to configure
mod_cache see also Configuring Apache to Cache Static Content via mod_disk_cache
If the proxy configuration does not match here, it's possible that the behaviour described in - JRA-47583Getting issue details... STATUS may be causing the problem. If this is the case please follow the workaround in that bug.