6 Replies Latest reply on Apr 25, 2007 10:06 AM by twistah

    Duplicate sessionIds in cluster

    anre42
    anre42 Jan 26, 2007 2:31 AM

      Hi,

      We're using Jboss-4.0.3SP1 in a clustered environment where we run 3 full jboss nodes on each machine. We don't use http session replication but we have a load balancer as a front to witch between different nodes (we "kick out" users and redirect them to another node if a node fails).

      Resently we discovered a very serious problem during testing, we where taking up and down nodes and while users where logged in, making them failover to another node and since no session replication is done they should have to login at the new node. However, on a couple occasions the kicked-out user went straigt into the application on the new node without logging in, and the really alarming part is that he came in as a different user!!? Like the stole someone elses session?

      I have been thinking very hard about what could have happend and the only, at least semi-, reasonable explanaition I can think of is that the, session-Id generators seeds from the same random source at the same maching. We're runnning Linux so in our case, if I interpret the tomcat code correclty, it picks random data from /dev/urandom to generate the session id. And as I understand if there are more than one node on each machine as in out case they will generate the same series of session-ids.

      Has anyone experienced the sam problems? Is this a likely explanation? Does anyone have a good idea on how we can solve this problem? We can abolutely not go live with this application until we are 100% certain that users can't "steal" other users sessions.

      Appreciate all feedback

      Cheers!

      /Andreas

      • 6246 Views
      • Tags:
        • 1. Re: Duplicate sessionIds in cluster
          mji0866
          mji0866 Mar 21, 2007 10:05 AM (in response to anre42)

          Looks like we are experiencing a similar issue. Did anyone ever resolve??

          Any help is much appreciated.

          Michele

            • Actions
          • 2. Re: Duplicate sessionIds in cluster
            raist_majere
            raist_majere Mar 21, 2007 6:43 PM (in response to anre42)

            If you can't find better solution, you can have different permutations of SessionIdAlphabet in each node. They are set in jbossweb-tomcat55.sar/META-INF/jboss-service.xml Looking at the SessionID generation code, having these characters (they must be 65, rememeber) permuted in each node will decrease the probabilities of having duplicated session ids... Hope it helps.

              • Actions
            • 3. Re: Duplicate sessionIds in cluster
              jfclere
              jfclere Mar 22, 2007 4:41 AM (in response to anre42)

              Look to http://www.jboss.org/wiki/Wiki.jsp?page=UsingMod_jk1.2WithJBoss
              Do the part of jboss that way the sessionid can't be duplicated:
              with a different node_name for each node.
              true

                • Actions
              • 4. Re: Duplicate sessionIds in cluster
                mji0866
                mji0866 Apr 10, 2007 1:30 AM (in response to anre42)

                First off, thanks to everyone for posting solutions.

                Unfortunately, after implementing the alphabet changes, re-verifying the configuration (as suggested above) and adding more verbose logging we continue to have the problem. It turns out, the duplicate IDs are actually occurring on the same node!

                Any further help is much appreciated.

                Thanks in advance.

                Michele

                  • Actions
                • 5. Re: Duplicate sessionIds in cluster
                  g2293
                  g2293 Apr 18, 2007 6:13 AM (in response to anre42)

                  We are facing the same problem. Were you able to resolve the issue?

                  -Kalyan

                    • Actions
                  • 6. Re: Duplicate sessionIds in cluster
                    twistah Apr 25, 2007 10:06 AM (in response to anre42)

                    Hello !

                    We also were having issues with what seemed to be generation of duplicate sessionIDs. But we were running two JBoss AS/JBossWeb servers in a non-clustered environment.

                    As a test I logged all generated sessionIDs and found that, over time, of the accumulated 5300 sessionIDs generated on the two servers, 153 of them were created on both servers (duplicates). None were duplicates within the same server though.

                    So from what I can gather, that is a probable cause for some issues we were having.

                    A temprorary fix was to make tomcat generate longer sessionId on one of the servers in order to be truly unique.

                    (sat the sessionIdLength attribute in deploy/jbossweb-tomcat55.sar/context.xml)

                    I think in order to be even more secure, we need to write some code that prevent anyone from "faking" a sessionID to "steal" another users session.

                    Found some hints here:http://en.wikipedia.org/wiki/Session_fixation

                      • Actions