[jboss-user] [Tomcat, HTTPD, Servlets & JSP] - Duplicate sessionIds in cluster

[anre42]

Hi,

We're using Jboss-4.0.3SP1 in a clustered environment where we run 3 full jboss nodes on each machine. We don't use http session replication but we have a load balancer as a front to witch between different nodes (we "kick out" users and redirect them to another node if a node fails).

Resently we discovered a very serious problem during testing, we where taking up and down nodes and while users where logged in, making them failover to another node and since no session replication is done they should have to login at the new node. However, on a couple occasions the kicked-out user went straigt into the application on the new node without logging in, and  the really alarming part is that he came in as a different user!!? Like the stole someone elses session?

I have been thinking very hard about what could have happend and the only, at least semi-, reasonable explanaition I can think of is that the, session-Id generators seeds from the same random source at the same maching. We're runnning Linux so in our case, if I interpret the tomcat code correclty, it picks random data from /dev/urandom to generate the session id. And as I understand if there are more than one node on each machine as in out case they will generate the same series of session-ids. 

Has anyone experienced the sam problems? Is this a likely explanation? Does anyone have a good idea on how we can solve this problem? We can abolutely not go live with this application until we are 100% certain that users can't "steal" other users sessions.

Appreciate all feedback

Cheers!

/Andreas

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4006677#4006677

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4006677