Symptoms

The session spontaneously switches to another user. The JSESSIONID cookie of the victim is set for the "perpetrator" (in complete ignorance as well as innocence), leading to the session-stealing behavior.

Cause

Apache webserver, which proxies the Tomcat server was configured to cache certain fixed-content files to relieve Tomcat of the traffic. The configuration does not take care to use the CacheIgnoreHeaders directive to tell mod_cache not to cache Set-Cookie headers with the responses. When a combination of unusual circumstances coincided for two users - the cached item, with its Set-Cookie header, was returned to another user.

Resolution

If these problems are encountered, you can either:

• try disabling the mod_cache module completely;
• or invoke the directive CacheIgnoreHeaders Set-Cookie in Apache's mod_proxy configuration.

For more details on how to configure mod_cache see also Configuring Apache to Cache Static Content via mod_disk_cache

If the proxy configuration does not match here, it's possible that the behaviour described in JRA-47583 - Getting issue details... STATUS may be causing the problem. If this is the case please follow the workaround in that bug.