9 Replies Latest reply on Jul 14, 2008 3:09 PM by Sean Whyte

    Session being stolen / assigned to wrong person

    Sean Whyte Newbie

      Problem configuration:
      JBoss 4.2.1, Apache 2.0.59, mod_jk 1.2.25, java 1.6.02

      We have a problem were our website will run great 99% of the time. Then it starts all sorts of weirdness (partial pages, text only, completely wrong pages)

      Then the problem will just disappear with no intervention. It usually doesn't last more than 5 minutes.

      We have tracked the problem down to requests not being handled properly. In looking through the individual requests being processed, we can see the JSESSIONID going from one user's IP to a different user. The wrong user then becomes the original user as though they had logged in.

      The worst problem is that orders are being placed under the wrong account.

      Originally believing it to be an Apache issue, we stripped out all the Virtual Host settings, removed load balancing and made it as basic as possible.

      Finally, we reverted JBoss to 4.0.3SP1 about 2 weeks ago and the problem hasn't happened again. I don't think ever we made it 72 hours on JBoss 4.2.1.

      So, this looks to us to be a Tomcat or JBoss issue. It looks like JBoss 4.2.1 uses either Tomcat 6.0.10 or 6.0.13.

      I know JBoss is now at 4.2.2 and we are planning to try that next, but it doesn't look like it uses a different version of Tomcat, so we aren't very hopeful.

      Anybody else experienced this or does anybody know of any changes between the versions that could cause this?