[jboss-user] hitting a specific node from the cluster

Nestor Urquiza nestor.urquiza at gmail.com
Fri Oct 26 10:32:21 EDT 2007 

So I have found my own answer, basically if the request is made using
Cookie: JSESSIONID=.<node name>

The curious part is that when a request is made and the proper node
responds the session Id keeps being ".<node name>". I would expect the
cookie to be rewritten by the server but it never does.

This makes me think about an attack possibility. If a hacker somehow
manage to redirect a user with that session Id to a cluster
environment he could potentially access user sensitive data because in
fact he knows the user session?

I have done even tests from two different IPs and my program kept the
session with the two requests using the same ".node3C1" session Id:

[Fri Oct 26 10:22:04 2007] [30497:26304] [debug]
ajp_done::jk_ajp_common.c (2194): recycling connection pool slot=0 for
worker node3C1
[Fri Oct 26 10:22:35 2007] [30495:26304] [debug]
wc_maintain::jk_worker.c (318): Maintaining worker node1C1
[Fri Oct 26 10:22:35 2007] [30495:26304] [debug]
service::jk_lb_worker.c (735): service sticky_session=1 id='.node3C1'
[Fri Oct 26 10:22:35 2007] [30495:26304] [debug]
get_most_suitable_worker::jk_lb_worker.c (634): searching worker for
partial sessionid .node3C1
[Fri Oct 26 10:22:35 2007] [30495:26304] [debug]
get_most_suitable_worker::jk_lb_worker.c (642): searching worker for
session route node3C1
[Fri Oct 26 10:22:35 2007] [30495:26304] [debug]
get_most_suitable_worker::jk_lb_worker.c (655): found worker node3C1
(node3C1) for route node3C1 and partial sessionid .node3C1
[Fri Oct 26 10:22:35 2007] [30495:26304] [debug]
service::jk_lb_worker.c (755): service worker=node3C1
jvm_route=node3C1
[Fri Oct 26 10:22:35 2007] [30495:26304] [debug]
ajp_service::jk_ajp_common.c (1734): processing node3C1 with 2 retries
[Fri Oct 26 10:22:35 2007] [30495:26304] [debug]
ajp_done::jk_ajp_common.c (2194): recycling connection pool slot=0 for
worker node3C1
[Fri Oct 26 10:23:15 2007] [30496:26304] [debug]
wc_maintain::jk_worker.c (318): Maintaining worker node1C1
[Fri Oct 26 10:23:15 2007] [30496:26304] [debug]
service::jk_lb_worker.c (735): service sticky_session=1 id='.node3C1'
[Fri Oct 26 10:23:15 2007] [30496:26304] [debug]
get_most_suitable_worker::jk_lb_worker.c (634): searching worker for
partial sessionid .node3C1
[Fri Oct 26 10:23:15 2007] [30496:26304] [debug]
get_most_suitable_worker::jk_lb_worker.c (642): searching worker for
session route node3C1
[Fri Oct 26 10:23:15 2007] [30496:26304] [debug]
get_most_suitable_worker::jk_lb_worker.c (655): found worker node3C1
(node3C1) for route node3C1 and partial sessionid .node3C1
[Fri Oct 26 10:23:15 2007] [30496:26304] [debug]
service::jk_lb_worker.c (755): service worker=node3C1
jvm_route=node3C1
[Fri Oct 26 10:23:15 2007] [30496:26304] [debug]
ajp_service::jk_ajp_common.c (1734): processing node3C1 with 2 retries
[Fri Oct 26 10:23:15 2007] [30496:26304] [debug]
ajp_connection_tcp_send_message::jk_ajp_common.c (892): 00f0    30 00
06 00 07 6E 6F 64 65 33 43 31 00 FF 00 00  - 0....node3C1....
[Fri Oct 26 10:23:15 2007] [30496:26304] [debug]
ajp_done::jk_ajp_common.c (2194): recycling connection pool slot=0 for
worker node3C1

Any ideas about how to make the server force the creation of a brand
new random session id after receiving any request using a non existing
session id?

Thanks!,

-Nestor


On 10/15/07, Nestor Urquiza <nestor.urquiza at gmail.com> wrote:
> Hello guys,
>
> Just new to JBoss World so if this is not the right list please be
> kind and advise where should I post the question.
>
> Currently we have a cluster formed of three nodes, each of them in
> separate machines. I want to be able to target a specific node from my
> HTTP request. Is there any HTTP Header/GET/POST param that would allow
> me to make one node respond to my request?
>
> Thanks in advance,
>
> -Nestor
>

More information about the jboss-user mailing list