[jboss-user] hitting a specific node from the cluster

Nestor Urquiza nestor.urquiza at gmail.com
Wed Jan 30 16:28:20 EST 2008 

Just to update this thread take a look at
http://jira.jboss.com/jira/browse/JBAS-2568

Bottom line  attribute emptySessionPath must be set to "false" for the
specific connector. That will make tomcat respond to the request using
an internally generated cookie.

As stated there though this might come with problems for portlets and
other web apps that rely on session sharing between them.

On 10/26/07, Nestor Urquiza <nestor.urquiza at gmail.com> wrote:
> So I have found my own answer, basically if the request is made using
> Cookie: JSESSIONID=.<node name>
>
> The curious part is that when a request is made and the proper node
> responds the session Id keeps being ".<node name>". I would expect the
> cookie to be rewritten by the server but it never does.
>
> This makes me think about an attack possibility. If a hacker somehow
> manage to redirect a user with that session Id to a cluster
> environment he could potentially access user sensitive data because in
> fact he knows the user session?
>
> I have done even tests from two different IPs and my program kept the
> session with the two requests using the same ".node3C1" session Id:
>
> [Fri Oct 26 10:22:04 2007] [30497:26304] [debug]
> ajp_done::jk_ajp_common.c (2194): recycling connection pool slot=0 for
> worker node3C1
> [Fri Oct 26 10:22:35 2007] [30495:26304] [debug]
> wc_maintain::jk_worker.c (318): Maintaining worker node1C1
> [Fri Oct 26 10:22:35 2007] [30495:26304] [debug]
> service::jk_lb_worker.c (735): service sticky_session=1 id='.node3C1'
> [Fri Oct 26 10:22:35 2007] [30495:26304] [debug]
> get_most_suitable_worker::jk_lb_worker.c (634): searching worker for
> partial sessionid .node3C1
> [Fri Oct 26 10:22:35 2007] [30495:26304] [debug]
> get_most_suitable_worker::jk_lb_worker.c (642): searching worker for
> session route node3C1
> [Fri Oct 26 10:22:35 2007] [30495:26304] [debug]
> get_most_suitable_worker::jk_lb_worker.c (655): found worker node3C1
> (node3C1) for route node3C1 and partial sessionid .node3C1
> [Fri Oct 26 10:22:35 2007] [30495:26304] [debug]
> service::jk_lb_worker.c (755): service worker=node3C1
> jvm_route=node3C1
> [Fri Oct 26 10:22:35 2007] [30495:26304] [debug]
> ajp_service::jk_ajp_common.c (1734): processing node3C1 with 2 retries
> [Fri Oct 26 10:22:35 2007] [30495:26304] [debug]
> ajp_done::jk_ajp_common.c (2194): recycling connection pool slot=0 for
> worker node3C1
> [Fri Oct 26 10:23:15 2007] [30496:26304] [debug]
> wc_maintain::jk_worker.c (318): Maintaining worker node1C1
> [Fri Oct 26 10:23:15 2007] [30496:26304] [debug]
> service::jk_lb_worker.c (735): service sticky_session=1 id='.node3C1'
> [Fri Oct 26 10:23:15 2007] [30496:26304] [debug]
> get_most_suitable_worker::jk_lb_worker.c (634): searching worker for
> partial sessionid .node3C1
> [Fri Oct 26 10:23:15 2007] [30496:26304] [debug]
> get_most_suitable_worker::jk_lb_worker.c (642): searching worker for
> session route node3C1
> [Fri Oct 26 10:23:15 2007] [30496:26304] [debug]
> get_most_suitable_worker::jk_lb_worker.c (655): found worker node3C1
> (node3C1) for route node3C1 and partial sessionid .node3C1
> [Fri Oct 26 10:23:15 2007] [30496:26304] [debug]
> service::jk_lb_worker.c (755): service worker=node3C1
> jvm_route=node3C1
> [Fri Oct 26 10:23:15 2007] [30496:26304] [debug]
> ajp_service::jk_ajp_common.c (1734): processing node3C1 with 2 retries
> [Fri Oct 26 10:23:15 2007] [30496:26304] [debug]
> ajp_connection_tcp_send_message::jk_ajp_common.c (892): 00f0    30 00
> 06 00 07 6E 6F 64 65 33 43 31 00 FF 00 00  - 0....node3C1....
> [Fri Oct 26 10:23:15 2007] [30496:26304] [debug]
> ajp_done::jk_ajp_common.c (2194): recycling connection pool slot=0 for
> worker node3C1
>
> Any ideas about how to make the server force the creation of a brand
> new random session id after receiving any request using a non existing
> session id?
>
> Thanks!,
>
> -Nestor
>
>
> On 10/15/07, Nestor Urquiza <nestor.urquiza at gmail.com> wrote:
> > Hello guys,
> >
> > Just new to JBoss World so if this is not the right list please be
> > kind and advise where should I post the question.
> >
> > Currently we have a cluster formed of three nodes, each of them in
> > separate machines. I want to be able to target a specific node from my
> > HTTP request. Is there any HTTP Header/GET/POST param that would allow
> > me to make one node respond to my request?
> >
> > Thanks in advance,
> >
> > -Nestor
> >
>

More information about the jboss-user mailing list