[jboss-user] [Installation, Configuration & DEPLOYMENT] hitting a specific node from the cluster

Nestor Urquiza nestor.urquiza at gmail.com
Fri Oct 26 18:15:56 EDT 2007 

Hi guys,

I think this is the right place for my question. My original subject
was containing just [jboss-user] and I guess it might be the cause of
a missing response

Any help greatly appreciated!

Thanks,

-Nestor

On 10/26/07, Nestor Urquiza <nestor.urquiza at gmail.com> wrote:
> So I have found my own answer, basically if the request is made using
> Cookie: JSESSIONID=.<node name>
>
> The curious part is that when a request is made and the proper node
> responds the session Id keeps being ".<node name>". I would expect the
> cookie to be rewritten by the server but it never does.
>
> This makes me think about an attack possibility. If a hacker somehow
> manage to redirect a user with that session Id to a cluster
> environment he could potentially access user sensitive data because in
> fact he knows the user session?
>
> I have done even tests from two different IPs and my program kept the
> session with the two requests using the same ".node3C1" session Id:
>
> [Fri Oct 26 10:22:04 2007] [30497:26304] [debug]
> ajp_done::jk_ajp_common.c (2194): recycling connection pool slot=0 for
> worker node3C1
> [Fri Oct 26 10:22:35 2007] [30495:26304] [debug]
> wc_maintain::jk_worker.c (318): Maintaining worker node1C1
> [Fri Oct 26 10:22:35 2007] [30495:26304] [debug]
> service::jk_lb_worker.c (735): service sticky_session=1 id='.node3C1'
> [Fri Oct 26 10:22:35 2007] [30495:26304] [debug]
> get_most_suitable_worker::jk_lb_worker.c (634): searching worker for
> partial sessionid .node3C1
> [Fri Oct 26 10:22:35 2007] [30495:26304] [debug]
> get_most_suitable_worker::jk_lb_worker.c (642): searching worker for
> session route node3C1
> [Fri Oct 26 10:22:35 2007] [30495:26304] [debug]
> get_most_suitable_worker::jk_lb_worker.c (655): found worker node3C1
> (node3C1) for route node3C1 and partial sessionid .node3C1
> [Fri Oct 26 10:22:35 2007] [30495:26304] [debug]
> service::jk_lb_worker.c (755): service worker=node3C1
> jvm_route=node3C1
> [Fri Oct 26 10:22:35 2007] [30495:26304] [debug]
> ajp_service::jk_ajp_common.c (1734): processing node3C1 with 2 retries
> [Fri Oct 26 10:22:35 2007] [30495:26304] [debug]
> ajp_done::jk_ajp_common.c (2194): recycling connection pool slot=0 for
> worker node3C1
> [Fri Oct 26 10:23:15 2007] [30496:26304] [debug]
> wc_maintain::jk_worker.c (318): Maintaining worker node1C1
> [Fri Oct 26 10:23:15 2007] [30496:26304] [debug]
> service::jk_lb_worker.c (735): service sticky_session=1 id='.node3C1'
> [Fri Oct 26 10:23:15 2007] [30496:26304] [debug]
> get_most_suitable_worker::jk_lb_worker.c (634): searching worker for
> partial sessionid .node3C1
> [Fri Oct 26 10:23:15 2007] [30496:26304] [debug]
> get_most_suitable_worker::jk_lb_worker.c (642): searching worker for
> session route node3C1
> [Fri Oct 26 10:23:15 2007] [30496:26304] [debug]
> get_most_suitable_worker::jk_lb_worker.c (655): found worker node3C1
> (node3C1) for route node3C1 and partial sessionid .node3C1
> [Fri Oct 26 10:23:15 2007] [30496:26304] [debug]
> service::jk_lb_worker.c (755): service worker=node3C1
> jvm_route=node3C1
> [Fri Oct 26 10:23:15 2007] [30496:26304] [debug]
> ajp_service::jk_ajp_common.c (1734): processing node3C1 with 2 retries
> [Fri Oct 26 10:23:15 2007] [30496:26304] [debug]
> ajp_connection_tcp_send_message::jk_ajp_common.c (892): 00f0    30 00
> 06 00 07 6E 6F 64 65 33 43 31 00 FF 00 00  - 0....node3C1....
> [Fri Oct 26 10:23:15 2007] [30496:26304] [debug]
> ajp_done::jk_ajp_common.c (2194): recycling connection pool slot=0 for
> worker node3C1
>
> Any ideas about how to make the server force the creation of a brand
> new random session id after receiving any request using a non existing
> session id?
>
> Thanks!,
>
> -Nestor
>
>
> On 10/15/07, Nestor Urquiza <nestor.urquiza at gmail.com> wrote:
> > Hello guys,
> >
> > Just new to JBoss World so if this is not the right list please be
> > kind and advise where should I post the question.
> >
> > Currently we have a cluster formed of three nodes, each of them in
> > separate machines. I want to be able to target a specific node from my
> > HTTP request. Is there any HTTP Header/GET/POST param that would allow
> > me to make one node respond to my request?
> >
> > Thanks in advance,
> >
> > -Nestor
> >
>

More information about the jboss-user mailing list